Method, system and device for securing and managing access to a lock and providing surveillance

ABSTRACT

A method for commissioning a collection of electronic locks by inserting the same electronic key into each of the locks and recording in the electronic key and internal code unique to that lock which identifies the lock and is needed to open the lock and a method for biometrically permitted controlled secure access to a container having one of the commissioned electronic locks. A data processing machine is configured to make biometric identifications, credential identifications and input identifications to verify users using the system and control and regulate user access to locks or electronic cylinders.

CROSS REFERENCE TO RELATED PATENT APPLICATIONS

This patent application claims the benefit of U.S. patent applicationSer. No. 15/178,352, entitled “Method, System And Device For SecuringAnd Managing Access To A Lock And Providing Surveillance” filed on Jun.9, 2016, which claims the benefit under 35 U.S.C. 119 and 35 U.S.C. 120of U.S. patent application Ser. No. 13/668,912, entitled, “System,Method and Apparatus for Creating and Maintaining Biometric Secure SafeDeposit Boxes, and Similar Containers and Facilities”, filed on Nov. 5,2012, which claims the benefit under 35 U.S.C. 119 and 35 U.S.C. 120 ofU.S. provisional application Ser. No. 61/555,042 entitled “Method forSecuring and Accessing a Safe,” filed Nov. 3, 2011. The disclosures ofthe '042, '912 and '352 applications are hereby incorporated byreference in their entireties.

BACKGROUND OF THE INVENTION 1. Field of the Invention

This invention relates to methods and apparatus for creating andmaintaining biometric secure containers such as safe deposit boxes byrequiring a person seeking access to the secure container or facility tohave a biometric match with biometric data previously provided by thatperson stored in a database, before the person can be permitted accessto the secure container or facility. This invention also relates tomethods and apparatus for creating and maintaining biometric securelocking systems for regulating access to one or more locks, by requiringa person seeking access to the secure container or facility to havematches, such as a biometric match with biometric data previouslyprovided by that person stored in a database, a pin or code, and/orcredential enrollment and usage. An electronically readable identifier,such as a card that can be authenticated, entry of a pin or passcode,and a biometric identification match may be required before the personcan be permitted access to the lock, and/or the secure facility orcomponent regulated by the lock or electronic cylinder.

2. Description of the Prior Art

Electronic lock cylinders are used to secure access to structures,containers and other areas or objects to which access is to beregulated. One example of an electronic lock cylinder is set forth inGerman Patent Document DE 8,700,375.9, which discloses an electronicdouble-lock cylinder comprising two coaxially rotatable cylinder coresin bores of cylinder sections of its profile housing. The cylinder coresare lockable relative to the profile housing by mechanical tumblers andinclude a keyway, extending in the direction of the cylinder axis, for aflat key controlling the tumblers. The two cylinder sections of theprofile housing are joined by a common root section projecting radiallyfrom the cylinder sections, and accommodate a lockable part capable ofcoupling alternately with the two cylinder cores. In addition to themechanical locking function of the flat key, means are provided fortransmitting control information, e.g., including coding information,between the lock cylinder and the flat key. Specifically, an informationdetection means responding contactless to control information signals ofa control circuit of the flat key is disposed at the profile housing inthe region of at least one of the cylinder cores. The informationdetection means at the profile housing is connected to a control andpower-supply circuit disposed with at least some of its circuitcomponents separate from the lock cylinder, i.e., externally, by meansof a cable which includes a plug connector. In the known lock cylinder,the plug connector is disposed at the free end of a cable sectionconnected firmly to the lock cylinder by its other end.

Electronic keys and locks are discussed in our prior patent applicationSer. No. 13/688,912, where the electronic key has a rechargeable powersupply and is electronically programmable to open an electronicallyprogrammable lock. There is a discussion of safe deposit boxes employedwith the electronic key and locks.

Safe deposit boxes and teller lock boxes have been used in banks andother financial institutions for many years. The typical safe depositbox requires two mechanical keys for the box to be opened. When acustomer goes to the bank and seeks access to the customer's safedeposit box, the customer must sign a card indicating that the customeris requesting access to the safe deposit box and the customer must havethe customer's key for that particular customer's safe deposit box. Abank employee then obtains the bank's key for the safe deposit box,whereupon the customer and the bank employee enter a secure area,typically within the bank vault, where the safe deposit boxes arelocated. The customer then inserts the customer's key into one of thelock portions of the safe deposit box and the bank employee inserts thebank's key into a second lock portion of the safe deposit box. When bothkeys are turned, the two lock portions move the lock to the openposition, whereupon the safe deposit box can be removed and the customermay access the box to conduct the customer's business. When the customeris finished with his or her business, the customer must summon the bankemployee with the bank's key whereupon the safe deposit box is insertedback into its slot in which the box resides, the door to the safedeposit box is closed, the customer inserts the customer's key into oneof the lock portions of the safe deposit box door and the bank employeeinserts the bank's key into the other lock portion of the safe depositbox door, the customer and the bank employee then turn their keysthereby locking the safe deposit box door against intrusion byunauthorized personnel.

Similarly to the operation of the traditional safe deposit box, nearlyevery bank teller has a teller drawer in which cash and perhaps checks,that are processed by that particular teller during the teller's shiftof work, are kept. Typically such a teller drawer has a two lock partsimilarly to a safe deposit box. Currency is typically deposited intothe teller's drawer through a slot that is much too small for a humanhand to pass through. When it is desired to open the teller's drawer,the teller summons a colleague employed by the bank. The teller and thebank colleague each have a key, with the bank colleague having thebank's so-called master key. The teller and the bank employee insert therespective keys into two separate lock portions that maintain the tellerdrawer secure. The teller and the bank employee then duplicate theprocedure followed by the bank employee and the bank customer asdescribed above, opening the lock using the two keys thereby providingaccess to the teller drawer so that the currency may be removed, othervaluables may be stored in the teller drawer, etc.

These procedures are cumbersome, time-consuming and require a bankemployee to participate in each operation.

SUMMARY OF THE INVENTION

In one of its aspects this invention provides a method for commissioninga collection of electronic locks where the method includes the steps ofinserting the same electronic key into each of the locks and recordingin the electronic key an internal code unique to that lock whichidentifies the lock and is needed to open the lock. The method proceedsby transferring the internal codes for each of the locks from theelectronic key into a data processing machine. The data processingmachine maintains the internal codes together with identifying codes foreach lock of the collection. As used herein, according to someembodiments, the data processing machine may be embodied in a terminalor kiosk.

Upon request by a potential customer, the data processing machineidentifies the internal code for a selected one of the locks, thecustomer has been previously identified as being authorized to accessmaterials secured by the selected lock. The data processing machineencodes the internal code for the selected lock into an electronic keythat is then useable by the identified authorized customer.

In another one of its aspects this invention provides a method forbiometrically electronically permitting only simultaneous controlledaccess to a container secured by an electronic lock where the methodcommences with the step of electronically biometrically identifying afirst customer to be given access on a simultaneous dual access basis toa container secured by the lock. The method proceeds with electronicallybiometrically identifying a second potential customer to be given accesson a simultaneous dual access basis to the container secured by thelock. The method further yet proceeds with the insertion of an activatedelectronic key into the lock and recording an internal code which isneeded to open the lock and which identifies the lock. The internal codefor that lock is then transferred into a data-processing machine whichmaintains the internal code for the lock of interest in thedata-processing machine. The method then proceeds by electronicallybiometrically identifying the first and second potential customers to begiven simultaneous access on a dual access basis to the containersecured by the lock. The method then proceeds by electronicallyconcurrently comparing the biometrically identified first potentialcustomer and the second biometrically identified potential customer to apreviously generated list of biometrically identified customersauthorized to have simultaneous access to the secured containers todetermine whether the first and second biometrically identifiedpotential customers are authorized to have such simultaneous access. Themethod then proceeds by providing the internal code in the form of aremovable electronic key to the first and second potential customersidentified concurrently as being authorized to simultaneously access thecontainer secured by the lock; this is done by encoding the internalcode into an electronic key usable by the identified authorized bysimultaneous customers.

In the preferred practice of this aspect of the invention the recordingof the internal code is performed within the electronic key. A step ofelectronically biometrically identifying potential customers ispreferably performed by electronically sensing fingerprints of thepotential customers. Alternatively, the step of electronicallybiometrically identifying potential customers may be performed byelectronically sensing a print of any fingers or thumbs of the potentialcustomers or the palms of the potential customers, or facial recognitionof a customer's face. In yet another aspect of the invention, the stepof electronically biometrically identifying potential customers may beperformed by electronically sensing eye characteristics of the potentialcustomers. In yet another aspect of the invention, the step ofelectronically biometrically identifying potential customers may beperformed by sensing the DNA of the potential customers.

In still another aspect of the invention, there is provided a method forbiometrically electronically controlling access to a container securedby an electronic lock. In this aspect of the invention the methodcommences by inserting an electronic key into the lock and recording aninternal code needed to open the lock where the code is recorded withinthe electronic key. The internal code for that lock is then transferredfrom the electronic key into a data processing machine. The internalcode is maintained together with an identifying code for the lock ofinterest in the data processing machine. The method then proceeds byelectronically biometrically identifying any person seeking to accessmaterials secured by the lock. The method further proceeds byelectronically comparing the biometrically identified person to apreviously generated list of biometrically identified persons authorizedto have access to the secured container to determine whether theidentified persons are authorized to have access. If the identifiedperson is found to be authorized to have access, the invention proceedsby providing the internal code to a person identified as authorized toaccess the container secured by the lock by encoding the internal codeinto an electronic key useable by the identified authorized personthereby to access the materials secured by the lock.

One of the important aspects of the invention is the incorporation of apersonal computer interface, for both touch screen and non-touch screenunits, with all necessary hardware and software to provide a deployableand standalone, yet enterprise scale all-in-one biometric lockingstation for programmable electromechanical cores and keys in accordancewith the invention.

A further important aspect of the invention are the key retention unitswhich are important because the software of the invention is able tocontrol when the keys are programmed and released, namely made availablefor the user to remove. This is important because without the keyretention units, the keys could become locked up or non-programmable ifthey are removed or replaced when the software is not expecting them tobe removed or replaced. For example, if the software is downloading aschedule into the key and the key is removed before the download iscompleted, the programming would fail and make the key unusable.Accordingly, the keys in accordance with the invention are locked inplace and only released when the software permits them to be released.

A method, system, and device are provided for regulating access to anelectronic lock and for providing surveillance of locks and lock usage,as well as surveillance and accounting of lock users and user activity.According to a preferred embodiment, the method may be carried outthrough a data processing machine. According to preferred embodiments,the data processing machine may be configured as a terminal or otherdevice to carry out provisioning of the keys. A key provisioning device,such as a terminal (also referred to as a kiosk), is configured tostore, or communicate with another device that stores access permissiondata for one or more locks of the system. For example, the dataprocessing machine identifies the internal code for a selected one ofthe locks, and the user has been previously identified as beingauthorized to access materials secured by the selected lock. The dataprocessing machine is configured to encode the internal code for theselected lock into an electronic key that is then useable by theidentified authorized user. In the case where the user is designated toreceive access to more than one lock, the codes for each lock of thesystem to which the user is entitled to access may be loaded into thekey.

According to a preferred embodiment, another aspect of the inventionprovides a terminal having a plurality of factor authenticationmechanisms. For example, one first factor authentication mechanism is amechanism that provides biometric identification of a user byelectronically comparing the biometrically identified user to apreviously generated list of biometrically identified users authorizedto access to the lock or structure, compartment or facility which thelock secures. The terminal preferably includes a second factorauthentication mechanism, which is reception of a pin or code that theuser may enter using a suitable input device, such as, for example, thetouch screen of the terminal, attached or associated keypad, or otherinput device. The terminal preferably is configured with a furtherfactor authentication mechanism. According to a preferred embodiment,the further authentication mechanism includes a reader for reading acredential, such as for example, an electronically readable card.

According to preferred embodiments, the terminal may be configured witha key retention mechanism which secures the electronic key to theterminal during the key programming, so as to eliminate the removal ofthe key until the programming has completed. The key retention mechanismpreferably mechanically locks the key and releases the key, as required.This feature may be provided in any of the embodiments shown ordescribed herein.

Embodiments of the terminal also include an anti-tampering mechanism,which, according to some embodiments comprises an anti-tamper switch.The anti-tamper switch is designed to sense a condition where the deviceis or was prone to tampering. The switch preferably is provided in thedevice circuitry and upon a triggering event, prevents further usage ofthe system (until the system is evaluated and placed back into anoperation mode by authorized personnel).

According to embodiments of the invention, the terminal preferably hasone or more processing components, which may include processors,microprocessors, controllers, microcontrollers, random access memory, apower supply or source, and storage media. The terminal may include oneor more ports for linking or communicating with associated accessories,some examples of which are a power cable port, a network jack, one ormore USB ports. Preferred embodiments, preferably are configured withoutwireless connectivity (i.e., preferably without Wi-Fi, Bluetooth, NFC,or other wireless communications).

The system preferably configures, programs, controls and maintains aprogrammable key and eCylinder lock system. The system, method anddevice are configured to track users. Embodiments of the system, methodand device also may implement controls as to locations that the user mayvisit and when the user may go, and what a user has access to. Themethod, system and device preferably are configured to track failedattempts by users to gain access to unauthorized or out of scheduleareas.

Embodiments of the system preferably are configured to operate inconjunction with programmable keys and electronic lock cores (such asthose provided by Medeco®, e.g., MEDECO XT programmable locks and keys).The system preferably is configured with a plurality of terminals, whichalso may be referred to as Multi-Factor Programmer (MFP) kiosks, whichauthenticate user access in connection with the user key and a pluralityof authentication mechanisms (such as, biometric identifiers, PIN codes,and/or physical access control credentials).

According to preferred embodiments, the method, system and devices areconfigured with a survey mechanism comprising a survey engine forevaluating information and reporting information. The survey enginepreferably comprises software that is configured with instructions forrecording the user data, which provides what the user accessed, when, aswell as what a user may have attempted to access.

According to some embodiments, the immediate survey data is provided bythe operations of the key.

According to some embodiments, the survey engine may be configured toobtain data from a user. For example, when a user configures the key(e.g., downloading lock codes or permissions from the terminal), theuser may be required to respond to prompts or queries. The prompts orqueries may be provided to the user on the terminal display (e.g., touchscreen), or require the user to input a selection using an input device(e.g., keypad, pen, microphone). If the system manager or companydesires to inquire of the key user, the inquiry may be presented to theuser so that the user must respond before the key is programmed, or isreleased from the terminal or both.

According to some implementations, some preferred embodiments, forexample, may provide an electronic key for a user who is a driver thatdrives a route for a company or employer. The electronic key may givethe user access to certain facilities or structures on the route or atroute locations. The system may be configured to identify when a userprofile contains information that the user is required to address. Theinformation may be communicated to the system, or stored within thesystem and generated as an alert. One example is where the user is adriver whose license expired. Upon placing the key in the terminal foraccess authorization, the license expiration alert is present in theuser profile. The system is configured to determine whether any alertsexist for the user. When the system identifies a condition, such as theexpired license alert, the system may be configured to deny the useraccess to authenticate the key, or to undertake one or more additionalsteps. In this case, the one additional step may be for the user toenter updated driver license information (if the user has renewed thelicense). According to some embodiments, the system may operate a checkof the user's license to process it against a database or send it forconfirmation. When confirmation is received, then the key may beprovisioned with the lock codes that the user is authorized to have, andthe key may be released to the user. This may take place while the useris logging on and activating the key at the terminal.

The system may be configured with dual-control and dual-custodycapabilities. For example, according to one of its aspects, accesscontrol to a lock and the structure or facility to which the lockregulates, may be implemented by biometrically electronically permittingonly simultaneous controlled access to a structure secured by anelectronic lock where the method commences with the step ofelectronically biometrically identifying a first user to be given accesson a simultaneous dual access basis to a structure secured by the lock.According to embodiments, the multi-factor terminal may be utilized tocarry out the simultaneous controlled access. The method may proceedwith electronically biometrically identifying a second potential user tobe given access on a simultaneous dual access basis to the structuresecured by the lock, and may include one or more factors to identify theuser, including, for example, biometric identification, plus anelectronic credential (which the reader may read) and/or a PIN that maybe entered (e.g., on the terminal screen display).

The method further yet proceeds with the insertion of an activatedelectronic key into the lock and recording an internal code which isneeded to open the lock and which identifies the lock. The internal codefor that lock is then transferred into a data-processing machine whichmaintains the internal code for the lock of interest in thedata-processing machine. The method then proceeds by electronicallybiometrically identifying the first and second potential users to begiven simultaneous access on a dual access basis to the structuresecured by the lock. The identification may be done with other factors,including a credential and/or PIN. The method then proceeds byelectronically concurrently comparing the biometrically identified firstpotential user and the second biometrically identified potential user toa previously generated list of biometrically identified users authorizedto have simultaneous access to the secured structure to determinewhether the first and second biometrically identified potential usersare authorized to have such simultaneous access. The identification maybe carried out utilizing the terminal, and identification of each usermay include biometric identification and one or more other factors(e.g., a credential or PIN). The method, in addition to the biometricidentification, may utilize one or more other factors (e.g., credentialand/or PIN) to determine authorization of the simultaneous access users.The method then proceeds by providing the internal code in the form of aremovable electronic key to the first and second potential usersidentified concurrently as being authorized to simultaneously access thecontainer secured by the lock; this is done by encoding the internalcode into an electronic key usable by the identified authorized bysimultaneous users.

The system and device may be configured to carry out different modes ofoperation. For example, the system and device may carry out locker mode,route mode, and safe deposit box modes. In addition, one or more modesmay be combined to provide mixed-use modes.

According to a preferred embodiment, the route mode may be configured toprovide the user with a plurality of locks (or eCylinders) that the useris required to and authorized to access during the user's course ofcarrying out the user's duties. The user may be provided with access, inthe form of lock codes provided on the user key for locks that areaccessed on the user's route (or other course of duty).

According to a preferred embodiment, the locker mode may be implementedto provide a key that is configured to be programmed with lock codesthat are specific to one or more locks associated with an access, suchas, for example, a lock identified by number (e.g., lock number 560456or padlock), a specific containers, or a location (door or drawer). Thesystem may group two or more terminals so that keys may have specificfunctions when used at particular terminals (such as reduced functionsor increased functions). Some terminals may be configured to limit theauthorizations that may pass through, while other terminals may permitall types of authorizations. For example, terminals employed in ahigh-security area may be the only terminals that provide access tocertain high-security items or locks, so that even where an authorizeduser is authorized at the high security access level to access the highsecurity items or locks, if the user attempts to program a key outsideof the high security area (e.g., at a terminal not in a high securitylocation), the user will not be provided any high security access on akey programmed on the terminal out of the high security area.

The system may be controlled through a web management arrangement, wherea computing device, such as a server, at a location remote from theterminal, is in communication with the terminal. According to someembodiments, the permissions for one or more users may be downloaded tothe terminal. This may be done at the time of the request for actuationof an electronic key, or alternately, may be done by the terminalperiodically, or at designated time. A web management server may be usedto specify permissions for users. The web management server also mayprovide the terminal with information as to inquiries, surveys andinformation that is to be obtained from a user, and to receiveinformation from the terminal that a user has provided (or that a keyplaced into the terminal provides).

System builder applications also may be implemented to functionalizelocks and terminals with intended users who are expected or assigned toauthenticate keys.

The method, system and device preferably may implement functions withthe key and key access. Some examples of the functions includeprocedural compliance, proactive threat and health monitoring, activityreporting, intuitive system management, operational efficiencies andaccountability through biometrics. A user that desires to activate a keythrough the terminal or kiosk may be made to confirm particular sets offacts or events. For example, in the case of compliance, the user may berequired to input compliance information to demonstrate that arequirement has been met or complied with. This may be required prior tothe key being activated. Should a user fail to demonstrate compliance,the system may proceed not only to deny activation, but may providefurther information, an alert so as to alert a designated person ordevice to undertake some activity, such as suspending the individualfrom further activity, investigate the cause of the compliance failure,deactivate other equipment (to which that the user may have access), ortake some other action.

The user may be required to provide information about a condition of alocation before activation of the key takes place. For example, the usermay input a key into the terminal and be required to identify conditionsthat may be known to that individual and which may pertain to theindividual's duties or location. A survey may be displayed on theterminal screen and the individual may be required to respond. Forexample, if the individual is servicing a facility, questions about thelocation may be asked, such as whether the location appears clean, howmany staff were observed, what other brands were also present at thelocation, and other information. According to some preferredembodiments, the survey may provide accountability through the factorverifications, including biometric, credentialed, and/or access PIN orcode identification. The information may be stored to confirm, whenrequired (e.g., at a subsequent time, or for reporting to an agency,company, department, outside compliance unit, or other resource), thatprotocols, procedures, and operating requirements were met. The surveymay be coordinated with operations undertaken by the user of a key, sothat, in addition to survey responses, access data, such as, accesses ofthe key including successful accesses, denials of access orauthorizations, the times, locks, and personnel may be tracked, reportedand evaluated, with reporting engines, compliance engines, and othermodalities that may linked to utilize the lock, key and survey data toproduce related alerts, warnings, and the like.

The method, system and device also may be used to regulate access tostructures, which, for example, may include lockers, safes, safe depositboxes, containers, computer racks, doors, pedestals, cabinets, and othercontainments. Preferred embodiments feature attributes and advantages ofphysical keys and mechanical lock cores, but also provide reporting andauditing capabilities. Keys may be activated for particular timeperiods, and have expirations or durations associated with theiractivity. For example, the key, or one or more of its functions orcodes, may expire after a particular time duration, at a particular timeor upon a particular event (one-time use, refill, etc.). In someembodiments, other functions of the key may remain operative, eventhough some functions are no longer operative. Keys provide controlledaccess to a containment or other structure, and may be electronicallyprogrammed to open only specific locks during a designated schedule.Schedules may also contain an expiration point to completely disable thekey until it is audited and reprogrammed.

An accountability feature is provided. The method, system and device maybe utilized to record audit information. Audit information may berecorded in both the lock and key, and preferably, the key and lock areconfigured to retain and provide a time and date-stamped record of everyevent, including authorized accesses and unauthorized attempts.

The system preferably is configured to provide electronic rekeying andscheduling when required. For example, the configuration of the locksand keys permit quick responses to security threats, lost or stolenkeys, or personnel changes without the added cost of changing locks andkeys.

The system may be configured as a replacement to existing lockcylinders. Preferred embodiments provide the ability to install the lockcylinders to be used with the keys and features of the keys, without theneed for hardwiring of the locks, and where the key is able to providepower to the lock cylinder.

According to preferred embodiments, where a key has already beenprogrammed with a listing of authorized lock access permissions or codes(e.g., for another user who has returned the key, and is not thereforeable to use the key), the key, although deactivated for that user, andanyone else that would try to use the key, may be reprogrammed foranother user by considering the locks already programmed on that key andproviding any additional locks and their respective codes as an updateto those already present in the key. The lock codes on the keypreviously inactive, and the newly added codes, may be made active forthe user. Conversely, where a user's permission (lock list) does notinclude one or more locks listed on the key, then those locks andauthorization codes may be deleted from the key. According to someembodiments, deactivation of a key (by expiration of the user'spermitted time limit, or by a return of the key to a key retaininglocation or unit) may render the key unable to open locks, and the key,when deactivated, may continue to contain lock codes that may be presenton the key but which require further programming for their use.According to other embodiments, when a key is deactivated, the key doesnot contain lock codes, and may be wiped or have the programmedinformation deleted therefrom.

According to preferred embodiments, the key information, lock codes, andinformation transmitted between the terminal and a remote location(e.g., remote server, web management system, or the like), may beprovided in encrypted form to provide additional security.

According to preferred embodiments, the system and devices preferablyare configured to integrate with traditional access control systems thatalready may be in place.

The system, method and devices may be configured with enterprisemanagement software, which may include Microsoft Structured QueryLanguage (SQL) Relational Database Management Software (RDBMS),Microsoft Windows 7 Embedded Operating System (OS), or other suitablesoftware. The system, method and devices are designed to work in bothsingle-use and dual-person applications. The software includesinstructions to grant privileges to users based on their uniquebiometric identifier (who they are), what they know (PIN code), and/orwhat they have (credential). The software is implemented as part of orin connection with the terminal and is easy to use and administer, yetis powerful and full-featured to provide a highly secure lockingcapabilities with enhanced compliance and audit trail reporting.According to preferred embodiments, the system, method and devicescombine the attributes and advantages of physical keys and mechanicallock cores with the reporting and auditing capabilities of traditionalaccess control systems.

According to a preferred embodiment, the devices, such as a terminal,may be use with programmable keys and electronic lock cores (also knownas eCylinders). Each programmable key holds the operating and expirationschedule and list of authorized lock cores for its intended user. Theelectronic lock cores may secure virtually any door, cabinet, locker orother device that requires protection and an audit trail. Power from theprogrammable keys, which are rechargeable, provides the required powerto operate the electronic lock cores. According to preferredembodiments, the programmable keys may provide the power withoutrequiring other external power sources to operate the electronic lockcylinders. Other than the rechargeable battery in the key, otherbatteries or wireless connections are not required for the key and lockscylinders to operate.

In the preferred practice of this aspect of the invention the recordingof the internal code is performed within the electronic key. A step ofelectronically biometrically identifying potential customers ispreferably performed by electronically sensing fingerprints of thepotential customers, and, according to some preferred embodiments,identification is also carried out by verifying a user's electroniccredential and/or PIN. In preferred embodiments, the PIN and/orcredential are factor verifications that are used to identify a user inaddition to biometric identification, and are carried out at theterminal or kiosk. The biometric identification, for example, mayinclude any of those methods described herein (e.g., electronicallysensing a print of finger(s), thumb(s), palm(s), sensing eyecharacteristics, facial recognition, or sensing DNA).

According to some implementations, when carrying out a method forbiometrically electronically controlling access to a container securedby an electronic lock, one or more of an electronic credential and/orPIN also may be required to verify a user and regulate access to anelectronic lock. In this aspect of the invention the method commences byinserting an electronic key into the lock and recording an internal codeneeded to open the lock where the code is recorded within the electronickey. The internal code for that lock is then transferred from theelectronic key into a data processing machine. The internal code ismaintained together with an identifying code for the lock of interest inthe data processing machine. The method then proceeds by identifying anyperson seeking to access materials secured by the lock e.g.,biometrically and one or more other factors, such as a PIN and/orelectronic credential. The method further proceeds by electronicallycomparing the biometrically identified person to a previously generatedlist of biometrically identified persons authorized to have access tothe secured container, and compares the credential and/or PIN to apreviously generated list of users matching that respective credentialor PIN (or both), to determine whether the identified persons areauthorized to have access. If the identified person is found to beauthorized to have access, the invention proceeds by providing theinternal code to a person identified as authorized to access thecontainer secured by the lock by encoding the internal code into anelectronic key useable by the identified authorized person thereby toaccess the materials secured by the lock.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a schematic depiction of a collection of containers to whichindividual customers would desire access after renting the container,with the containers being under the jurisdiction of a supplier andaccess to the containers being controlled by the method and apparatus ofthe invention. In FIG. 1, individual containers are numbered 1 through 8and “A” and “B” respectively for purposes of identification herein.

FIG. 2 is another schematic depiction of a collection of containers,access to which can be controlled in accordance with the invention.

FIG. 3 is a schematic depiction of yet another configuration ofcontainers to which access can be controlled according to thisinvention.

FIG. 4 is an isometric view of a terminal manifesting aspects of theinvention and used in the course of practice of the invention.

FIG. 5 is an isometric view of an electronic key and correspondingelectronic cylinder used in the course of practice of the invention.

FIG. 6 is a front view of the terminal illustrated in FIG. 4, with twoelectronic keys as illustrated in FIG. 5 in place in key retention unitsthat are preferably component parts of the terminal.

FIG. 7 is a view of an electronic key as shown in FIG. 5 in place aftera secured container has been opened using the method of the invention.

FIG. 8 is an isometric view, taken from a different perspective, of theelectronic key and corresponding electronic cylinder illustrated in FIG.5.

FIG. 9 is a schematic isometric view of a terminal similar to thatillustrated in FIG. 4, but with four electronic keys in place and with afingerprint reader portion of the terminal clearly shown.

FIGS. 10-40 are screenshots A through AE which show depictions of imagesappearing on the screen of the terminal in the course of practice andoperation of various aspects of the invention, as described in Examples1 through 23 hereinbelow.

FIG. 41 is a perspective view of an alternate embodiment of a terminalmanifesting aspects of the invention and used in the course of practiceof the invention, configured with a fingerprint reader portion, a keyport, and an electronic reader.

FIG. 42 is a rear elevation view of the terminal of FIG. 41.

FIG. 43 is a left side elevation view of the terminal of FIG. 41.

FIG. 44 is a right side elevation view of the terminal of FIG. 41.

FIG. 45 is a schematic diagram showing sequences for a method ofimplementing the system and apparatus.

FIG. 46 is a diagram showing examples of monitoring and other operationsthat may be carried out with the system and apparatus.

FIG. 47 is an exemplary screen shot illustrating a backup settingsmanagement panel.

FIGS. 48-58 are screen shots which show depictions of screen shot imagesappearing on a screen display of a terminal implementing a managementsystem according to the invention.

FIG. 59 is an exemplary depiction of a screen shot of a managementscreen for configuring the key usage order, showing an exemplaryimplementation of sequence order designation for eCylinders to beaccessed with a key.

FIG. 60 is an exemplary depiction of a screen shot of an implementationof the system showing a locker mode configuration where a plurality ofeCylinders associated with locks are depicted on the screen anddisplayed for selection by a user.

FIG. 61 is an exemplary depiction of a screen shot of an implementationof the system showing a route mode configuration where a selectionrepresenting a lock or group of locks is depicted on the screen anddisplayed for selection by a user.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS

In a preferred embodiment of the invention, there is provided apparatusand methods to provide a comprehensive locking solution intendedprincipally for financial institutions and other industries that aresubject to regulatory security requirements. In the preferredembodiments, the apparatus of the invention includes managementsoftware, a Microsoft SQL RDBMS, preferable touch screen with end userinterfaces, at least one certified biometric reader, and high securityprogrammable keys insertable into corresponding lock cores. In onepreferred embodiment of the invention, the high security programmablekeys and lock cores are Medico NexGen XT cylinders, cores and keys.

As used herein, “container”, such as container 26, generally refers to asafe deposit box, such as those shown that are housed in collective formin container housings 10A, 10B and 10C in FIGS. 1, 2 and 3. As usedherein, “customer” generally refers to an individual or entity rentingone of the containers 26. In some instances herein, the word “kiosk” isused in place of the word “terminal.” As used herein “terminal”, such asterminal 20, generally refers to a kiosk or more preferably a standaloneterminal to which a customer goes to obtain access to the customer'srented container 26. In some instances herein the word “kiosk” is usedin place of the word “terminal”; no inferences are to be drawn from suchusage. As used herein, “supplier” generally denotes the entity, such asa bank, owning the containers 26 and terminals 20, and which rents thecontainers 26 to customers. As used herein “software” generally refersto the computer programs that process data from a biometric reader orinput device, such as a biometric fingerprint reader 34, and from one ormore programmable electronic keys, such as electronically programmablekeys 18, which operates to achieve the security function of theinvention.

Referring to the drawings in general, and to FIGS. 1, 2 and 3 inparticular, container housings 10, for housing containers in a securemanner in accordance with the invention, take various configurations,with container housings 10A, 10B and 10C being illustrated in FIGS. 1, 2and 3, as exemplary configurations of container housings. Each containerhousing 10 includes a plurality of container housing doors 12, with eachcontainer housing door 12 providing access to a container 26 retainedwithin the container housing by closure of container door 12. Containerhousing 10A, with one door 12 open as illustrated in FIG. 7 with acontainer 26 being partially removed from the container housing 10A.

An electronically programmable lock 14 is illustrated generally in FIG.5 and in FIG. 8, together with an electronically programmable key 18 inthose two Figures. Each electronically programmable lock includes acylinder portion as illustrated in FIGS. 5 and 8, where the cylinderportion is numbered generally 16, and includes a receptacle formed inone end of the cylinder portion where the receptacle is numbered 22 andserves as a female portion of the electronically programmable lock 14.Receptacle 22 receives a plug portion 24 of an electronicallyprogrammable key 18, where plug portion 24 serves as the male portion tomate with female portion 22 when an electronically programmable key 18is used to open an electronically programmable lock 14.

A terminal 20 in accordance with the invention is illustrated in FIGS. 4and 6, and includes a screen 28 and at least one key retention unit 30.In the particular terminal illustrated in FIGS. 4 and 6, two keyretention units 30 are provided as a part of the terminal 20. In FIGS. 4and 6, electronically programmable keys 18 are illustrated residentwithin key retention units 30 of terminal 20.

Terminal 20 further includes a biometric sensor, preferably afingerprint sensor, which may be positioned as illustrated at 34 inFIGS. 4 and 6. Alternatively, the fingerprint sensor may be a separateunit, removed from screen 28 of terminal 20, but located in closeproximity thereto and electronically connected to the software as isterminal 20 for display of the relevant screens provided by the softwareon screen 28 of terminal 20.

Terminal 20 preferably includes a key retention unit 30 havingreceptacles for one or more programmable electronic keys 18. When acustomer goes to the terminal 20 and identifies himself or herself bysome biometric means, preferably by supplying a fingerprint read by thefingerprint reader part 34 of terminal 20, an electronic key 18 isreleased and the customer is permitted use of the key 18 to open thecustomer's container 26.

The preferred programmable electronic key 18 fits into terminal 20 andspecifically into the key retention unit 30 where the key 18 is chargedwhenever it is in place within the terminal 20. A rechargeable batterywithin the key 18 assures that the key 18 is always fully charged. Onekey 18 can perform up to 800 container openings on a single charge afterbeing removed from the terminal 20. Preferably the terminal can house aplurality of keys 18 simultaneously.

Authorized customers and authorized employees of the supplier mustpresent their previously enrolled biometric identifier, typically afingerprint, in order to activate and use the key 18 provided at theterminal 20. Once activated, the key 18 may be removed from the keyretention unit 30 of the terminal 20 by the customer (or by anauthorized employee) in order to gain access to the container(s) 26 towhich that customer is authorized to have access. The key 18 remainsprogrammed for a predetermined amount of time and is rendered inactiveafter returned to the terminal 20 or after the predetermined amount oftime expires. When the key 18 is rendered inactive, it is renderedinactive for that particular customer. For the customer to reactivatethe key 18, the customer must place the key 18 back into the keyretention unit 30 of the terminal 20 and reenter the customer'sbiometric identifier for identification of the customer by the software.The software permits access only by a specific customer to a container26 based on that customer's biometric identifier. The software does notpermit access to a container 26 by a customer using the programmableelectronic key 18 based on what the customer might have in thecustomer's possession, such as a key fob or card, or what the customermight know, such as a personal identification number code. Whilefingerprint is the preferred biometric identifier, hand geometry, facialrecognition, eye iris characteristics or DNA characteristics may also beused.

The software may be configured for use with many types of containerssuch as self-serve safe deposit boxes, lockers in educationalinstitutions, vending machines on a sales route, and the like. Once thesoftware is set and the terminal configured for a given application,that mode of application may not be changed.

The preferred fingerprint reader portion of the terminal is preferablysupplied by Digital Persona.

One of the functions performed by the software of the invention is toenroll new customers into the system. Initially, the customer providesthe customer's name, including the first name, the middle initial, andthe last name, the customer's address, the customer's city, state andzip code, the customer's telephone number and type of telephone. Thecustomer preferably supplies, but is not required to supply, an e-mailaddress, an identification number and a personal identification or PINnumber.

The customer then places the customer's appropriate finger on thefingerprint reader 34, whereupon an image of the finger is put into thesystem and stored by the software. The customer may enroll up to all tenof his or her fingers the software using the fingerprint reader 34. Whena desired finger or fingers are selected, the desired finger must bepresented to the reader 34 a number of times, preferably four times.

If the fingerprint is read correctly, the appropriate number of thefinger is preferably highlighted on the screen 28 of terminal 20,preferably in blue. The screen 28 is preferably an integral portion ofthe terminal 20. If the finger is not read correctly as to thefingerprint, a failure notice appears on the screen portion 28 of theterminal 20 and the finger must be presented again. After successfullypresenting the finger four times, this success is displayed as feedbackon the screen 28 of the terminal 20. The option is provided for thecustomer to present additional fingers as desired and in each case, thefinger must be presented four times for the fingerprint to be read andverified correctly.

Once the fingerprint enrollment process has been completed for a givencustomer, the next step is to select a container 26 to be rented by thatcustomer and to define a rental term, in months, for the selectedcontainer 26. Selecting a container 26 is optional, in that the customermay be entered into the software to become a co-owner of an alreadyrented container 26 or an authorized user of a container 26 alreadyrented by another customer.

Once the customer enrollment process is completed, the customerpreferably clicks on a “Finish” button, which is preferably on a touchscreen portion of terminal 20, to save the information into thesoftware. If a container has been selected for the customer, theselected container is ready to be “commissioned.” The customer mustpresent the customer's fingerprint to the sensor of terminal 20, removeone of the electronic keys 18 from terminal 20, and access container 26using the appropriate electronic key. After opening container 26 andre-docking electronic key 18 at terminal 20, container 26 is consideredto be rented. Of course, container 26 to be rented by the customer maybe selected for the customer by an employee of the supplier, who mustalso supply his or her fingerprint information before the software willpermit that individual to participate in the selection process, if thisoptional feature is included in the software.

Each container has a state variable associated with it. The statevariable may be that the container is ready to be rented, or that thecontainer may be awaiting commission, in which case the rental processhas begun and the customer must access the container for the first time;or that the container state variable may be rented, in which case therental process is active and the customer has accessed the container atleast one time; or that the container state variable may also be that ofawaiting decommission, in which case the rental process is ending andthe customer must access their container one final time.

Customers may edit their information, such as when a customer's addresschanges. In such case, the customer again presents the customer'sfingerprint for verification. Once the fingerprint has been verified, ascreen page preferably appears permitting the customer to change therelevant information, such as the customer's address. The screen pagepreferably appears on screen 28 of terminal 20. Upon completion ofediting the information, the touch screen may be touched and the “Save”function activated, whereupon the customer must again present thecustomer's finger to verify that the correct customer is saving theinformation that has been changed.

When a customer desires to renew the rental term for an existingcontainer that is rented, the customer may present the customer'sfingerprint to fingerprint reader portion 34 of terminal 20, whereuponthe “Edit Customer Information” appears, and the customer may click orpress a touch screen a code for “Renew Container”, which brings upinformation and a screen via which the customer may select theappropriate container 26 if the customer has rented more than onecontainer 26. The customer may define the new renewal term, in months,and thereupon may instruct that that information be saved by pressingthe appropriate “Save” portion of the touch screen. If the customer hasrented more than one container, the rentals of the additional containersmay be renewed by selecting another container 26 from the informationpresented on screen 28 at terminal 20 and repeating the process as setforth hereinabove.

When a customer wishes to surrender their container 26, the supplier maydecommission the container. The supplier employee, after presenting hisor her finger for verification at the terminal, clicks on an “EditCustomer” button, or preferably a touch screen indicator, and thereafteridentifies the customer by clicking on or touching a “Retrieve User”indicator. At this point, the collection of currently assignedcontainers is populated in a grid. To decommission the relevantcontainer, the supplier employee clicks on or touches a “Decommission”indicator within an appropriate row of the grid of currently assignedcontainers. Next, the supplier representative or employee clicks on ortouches a “Decommission Lock” indicator on the touch screen. Thecustomer then presents his or her finger for verification of thecustomer identity again, and the status of the container is changed to“Awaiting Decommission.” The customer then removes the appropriateelectronic key 18 from terminal 20 and accesses the customer's container26 one last time. Once the customer has done this and electronic key 18is returned and docked at terminal 20, the customer's container isplaced back into the “Available” state, whereupon container 26 may berented to another customer.

When the need arises to halt access to a container and nevertheless keepthe container in a rented state, the container may be put into a“Suspended” status. The software does not permit a customer to put thecontainer into “Suspended” status; only personnel of the supplier maysuspend or unsuspend a container.

To start the process of suspending a container, a representative of thesupplier whose identity has been fingerprint verified clicks on a“Configuration” button or preferably a touch screen indicator andselects a tab labeled “Container Management.” To suspend the container,the identity verified representative of the supplier selects thecontainer from a drop-down list, using the keyboard of the terminal,types a brief reason as to why the container is being suspended, andthen clicks or preferably touches a “Suspend” indictor on the touchscreen.

To put the container back into an active state, a fingerprint identityverified representative of the supplier on the drop-down menu places acheckmark in an area on the preferable touch screen for “AllContainers,” whereupon a drop-down list of the containers appears andthe container may be selected by the fingerprint identity verifiedrepresentative of the supplier. The representative of the supplier thentypes a brief reason as to why the container is being resumed and beenplaced back into an active state and clicks or touches the “Resume” keyor area of the preferable touch screen to place the container back intoactive status.

In the event a container must be forcibly closed and deactivated withoutthe customer present, the lock within the container must be deactivatedand the container must be forced open, whereupon the current lock in thecontainer will no longer function. To start the process using thesoftware of the invention, the representative of the supplier clicks ona “Configuration” tab or portion of the touch screen from the main menuand selects a tab labeled “Container Management.” At this point, therepresentative of the supplier selects a container from the drop-downlist and provides a reason for the deactivation. Fingerprint identityverification must be made by the supplier representative, as describedabove, before deactivating any container.

The software of the invention further provides the capability to add aco-owner or co-customer associated with an existing container that isalready rented. In such case, the customer, who is the originalcustomer, must be present and the new co-owner or co-customer must bealready enrolled, having presented the co-customer's fingerprint andidentifying information as described above. To then add the co-customer,from the main menu, one clicks or presses on the “Edit Customer”indicator, whereupon the customer is identified by clicking orpreferably touching on the “Retrieve User” indicator, and whenidentification has been made, one clicks on the “Co-Owner” indicator onthe preferred touch screen. A grid of currently assigned containersappears on the screen and is populated with the containers that arecurrently assigned to the customer. The co-customer or co-owner may beadded to one or more containers by selecting the tab or preferable touchscreen indicator of “Add Co-Owner” for the appropriate container,whereupon one clicks on the “Add Co-Owner” button or touches thepreferable touch screen, and fingerprint identification verificationmust be performed again, as set forth above.

The software of the invention further provides for removal of a customerif a container is indicated to have multiple customers or owners. Atleast one customer must be present to remove another customer. For thisprocess, the customer, from the main menu, touches or clicks on the“Edit Customer” indicator, whereupon the customer is identified byclicking on or touching the “Retrieve User” indicator. Afteridentification of the customer has been made, the “Co-Owner” tab isclicked on or touched, whereupon the currently assigned container gridappears on the terminal screen and is populated with the containersassigned to that particular customer.

Removing a customer must be performed on one container at a time, butremoving multiple owners may be performed all at once for a singlecontainer. A customer clicks on or touches the appropriate row withinthe currently assigned containers grid. The customer or owner gridautomatically populates with the existing customers or owners. Thecustomer then selects which customer to remove by placing a check in the“Remove Co-Owner” column, and clicks or touches the “Remove Co-Owner”button or area on the touch screen. In all cases, fingerprintverification must be made again, as described above, before a customermay be removed from a container.

The software further facilitates addition of an authorized user to anexisting container. The add an authorized user to an existing container,the customer for that container must be present and the authorized usermust be enrolled, having submitted the authorized user's fingerprint andidentifying information as described above for the customer.

To add the authorized user, from a main menu, one clicks on the “EditCustomer” button or portion of the touch screen. The customer is thenidentified by clicking on the “Retrieve User” button or portion of thetouch screen. Once fingerprint verification identification has beenmade, the authorized user tab or portion of the touch screen isactivated. The currently assigned container grid appears on the screenand is populated with the containers assigned to the customer. Anauthorized user may be added to one or more of the containers for thatcustomer. The authorized user is added by selected the “Add AuthorizedUser” container in the grid for the appropriate containers, whereuponthe customer clicks on the “Add Authorized User” button or portion ofthe preferable touch screen. In all cases, fingerprint identificationverification must be performed first, as described above.

The software further provides capability to remove an authorized userfrom a container, in which case the customer for the container must bepresent. Fingerprint identification verification must be performed asindicated above.

Once that has been done, from the main menu, the customer clicks ortouches on the “Edit Customer” area of the screen and identifies himselfor herself by clicking on the “Retrieve User” area and then afterfingerprint verification identification has been made, clicks on the“Authorized User” area. A currently assigned container grid appears andis populated with the containers assigned to that customer. Removing anauthorized user from a container must be performed on one container at atime. However, removing multiple authorized users may be performed allat once, on a single container. This is done by clicking on theappropriate row within the grid of currently assigned containers. Theauthorized user grid appears and automatically populates with existingauthorized users. At that point, the fingerprint verification identifiedcustomer selects which users to remove by placing a check in the “RemoveUser” column, and then clicks on the “Remove Authorized User” button orarea of the preferred touch screen.

When another new container is to be rented to an existing customer, fromthe main menu the “Edit Customer” selection is made. The customer isthen identified using the “Retrieve User” button or area on thepreferred touch screen and after identification has been made, thecustomer or a representative of the supplier clicks on the “Containers”tab or an area of the preferred touch screen.

The software then displays two grids, namely the grid of “CurrentlyAssigned Containers” and a grid of “Available Containers.” In order toassign an available container to the customer, the supplier employee orrepresentative clicks on “Select” within the appropriate row ofavailable containers, whereupon the container defined by that particularrow is added to the customer's profile. At that point, the employee orrepresentative of the supplier clicks on the “Assign Container” buttonor area of the preferred touch screen, whereupon fingerprintidentification verification must be made again by the customer. Renewalterms must be defined. After that information has been saved, the modefor the particular container selected is set to “Awaiting Commission.”The customer must then proceed by retrieving the key from the terminaland accessing the container of interest in order to commission thecontainer.

The software of the invention allows customers to update theirfingerprint template at any time. To begin from the main menu, acustomer clicks on the “Edit Customer” button or portion of thepreferred touch screen, and the customer is identified using the“Retrieve User” function. After fingerprint identification verificationhas been made, the fingerprint tab is selected. To remove data for anexisting fingerprint, the customer clicks on the highlighted finger. Toadd a fingerprint, the customer clicks on any finger and follows theenrollment process described above.

Once this procedure has been finished, the customer clicks on the “Save”button or portion of the preferred touch screen.

The software deals with new employees of the supplier and permitsenrollment of them by providing a screen for insertion of informationfor a new employee. Specifically, the new employee's first name, middleinitial and last name are required, as is the principal name of thesupplier. An optional field is provided for an employee number, as is anoptional field provided for a PIN number for the employee and an e-mailaddress for the employee.

An option is provided to designate the supplier employee as anadministrator within the software of the invention. There is furtherprovided an indicator for the supplier employee if that employee is tobe authorized to perform maintenance at the terminal. Furthermore, ifthat employee is to have the ability to add further employees to thissystem, or to maintain existing employees by editing their information,those indicators are also provided on a new employee permission screen.The software further provides for flagging the employee as a temporaryemployee, and if the employee is indicated to be a temporary employee,the date that the employee's access to the system is to expire isentered into the system. The new employee is required to provide hisfingerprint in order to enroll, following the procedure as set forthabove for enrollment and identification of customers by theirfingerprints. As with the customer identification, once an appropriatefinger is selected by the employee, it must be presented to thefingerprint reader four times. If the fingerprint is read correctly, theappropriate number of the finger is highlighted on a screen of theterminal. Otherwise, a failure notice appears and the finger must bepresented to the fingerprint reader again. After successfully presentingthe finger four times for fingerprint reading, a successful dialoguefeedback is displayed on a screen of the terminal. Additional fingersmay be entered as required or desired.

To assign responsibility for given containers to an employee of thesupplier, a checkmark is placed in a selected column in the containerlisting. Containers need not be assigned at that time. To complete theemployee's enrollment process, one clicks on or presses the preferredtouch screen indicator for “Next” and then a “Finish” button or touchscreen indicator on the screen of the terminal.

To edit an existing employee, one selects a name from a drop-down listof employees. Afterwards, the appropriate field for that employee ispopulated. For example, the employee may be one flagged as anadministrator with terminal access. The employee may be a temporaryemployee, having a key duration of 500 minutes, and not having access toany containers.

The software and the terminal require time synchronization service toinsure the date and time are accurate. Preferably five public time syncservers are defined within the database. Depending on local firewallrules however, use of public time sync servers may not be allowed.Accordingly, the supplier's time sync server may optionally be permittedto coordinate with the software of the invention. For timesynchronization, a tab or touch screen indicator of the same isselected. The software allows activation of an existing inactive timesync server and allows insertion of a new time sync server once the hostname or IP address, port number, and any comments are entered. Once thishas been done, the next time the watchdog service tries to perform timesynchronization, the newly added time sync server will be used. Only onetime sync server must be active at any one time in connection withoperating the software of the invention. Software and database updatefunctions are performed using conventional security tokens andconventional updating and storage procedures.

Keys may be added to the software of the invention. The key serialnumber and encryption data from the dealer and a short description ofthe key are required. Only administrators designated by the supplier canadd and deactivate keys from the software of the invention.

The false acceptance rate (FAR), also known as the security level, isthe proportion of fingerprint verification operations by authorizedusers that incorrectly return a comparison decision of “a match.” TheFAR is typically stated as the ratio of the expected number of falseaccept errors divided by the total number of verification attempts, orthe probability that a biometric system will falsely accept anunauthorized user. A probability of 0.001 (or 0.1%) means that out of1,000 verification operations by authorized users, a system is expectedto return one (1) incorrect match decision. Increasing the probabilityto 0.0001 (or 0.01%) changes this ratio from 1 in 1,000 to 1 in 10,000.

Increasing or decreasing the FAR has the opposition effect on the falsereject rate (FRR). Specifically, decreasing the rate of false acceptsincreases the rate of false rejects and vice versa. Therefore, a highsecurity level may be appropriate for an access system dealing with asecured area, but may not be acceptable for a system for an area whereconvenience or easy access is more significant than security. Thepreferred default value of the software in accordance with the inventionis set at 4,295, which equals a FAR probability of 1 in 500,000.

The following examples illustrate operation of the invention. Theexamples are presented to provide the reader with a clear appreciationand understanding of the invention. The presented examples are allnon-limiting. No inference should be drawn from the examples respectingany limitations associated with or inherent in the invention. The scopeand breadth of the legal rights of exclusivity to which the invention isentitled are defined by the appended claims when construed in accordancewith applicable law.

Example 1

Add New Customer

After clicking the button on the main menu labeled New Customer, thecustomer enrollment wizard is displayed (see SCREEN SHOT A, FIG. 10).

The wizard is a step-by-step process to enroll a new customer intoVeraPass. To start, click the “Next” button.

The customer details form contains the following fields (see SCREEN SHOTB, FIG. 11):

Name: First, Middle Initial, Last, and Suffix

Address Lines

City, State, and Zip Code

Phone Number and Type of Phone

Email Address

ID Number

Pin Number (if a PIN is desired, ensure “Use Pin” is checked).

Middle initial, name suffix, email address, ID number and PIN number areall optional fields.

To enroll a fingerprint, click on the appropriate finger to enroll(SCREEN SHOT C, FIG. 12). Up to ten (10) fingers may be enrolled. Aminimum of two (2) fingers per customer is recommended.

Once the desired finger is selected, it must be presented four (4)times. If the fingerprint is read correctly, the appropriate number ishighlighted in blue (SCREEN SHOT D, FIG. 13). Otherwise, a failurenotice appears and the finger must be presented again. Aftersuccessfully presenting the finger four times, the successful feedbackis displayed (SCREEN SHOT E, FIG. 14). Click on additional fingers asneeded. Hit “Next” when this step is completed.

After the fingerprint enrollment process is completed, the next step isselecting a container and defining a rental term, in months. Pleasenote, selecting a container is optional—the customer may be entered intoVeraPass to become a co-owner of an existing container or an authorizeduser of another customer—refer to the appropriate section for details.The container(s) is selected by placing a check in the “select”container and entering the number of months agreed upon for the rentalin the column entitled “Term (in Months).

Once the customer enrollment process is completed, click the “Finish”button to save the information into VeraPass (see SCREEN SHOT F, FIG.15).

If a container was selected for the customer, it is ready to becommissioned. The customer must present their fingerprint to the kiosk,remove the appropriate key, and access the container. After opening thecontainer and docking the key at the kiosk, the container is consideredto be rented (see SCREEN SHOT G, FIG. 16).

Container States

Available

Ready to be rented

Awaiting Commission

Rental process has begun; customer must access their container for thefirst time

Rented

Rental process is active; customer has accessed their container at leastone time

Awaiting Decommission

Rental process is ending; customer must access their container one lasttime

Example 2

Editing Customer

From the main menu, select “Edit Customer.” Once the maintenance formappears, select “Retrieve User.” Afterwards, the customer must presenttheir fingerprint for verification.

Any of the fields may be changed (see SCREEN SHOT H, FIG. 17). Oncechanged, click the “Save” button. The application prompts you for afingerprint as verification.

Example 3

Renew Container Rental Term

To renew a rental term for an existing container rental, select “EditCustomer” from the main menu. Next, click on the “Renew Container”button. Customer identification via fingerprint is not required to renewthe rental term.

Select the appropriate container from the drop down list. The owner'sname(s) appear along with the date opened and current expiration date.Define the new renewal terms, in months, and click the “Save” button(SCREEN SHOT I, FIG. 18).

Additional containers may be renewed by selecting another container andrepeating the process outlined above.

Example 4

Surrender Container

Voluntarily

When a customer wants to surrender their container, you may decommissiontheir container. To start, click on the “Edit Customer” button from themain menu. Next, the customer must be identified by clicking on the“Retrieve User” button.

Within the Containers tab, the currently assigned containers grid ispopulated. To decommission the container, click on the “Decommission”field within the appropriate row. Next, click the “Decommission Lock”button (SCREEN SHOT J, FIG. 19).

Fingerprint verification must be made again. Follow the prompts asneeded. At this point, the status of the container is placed into theAwaiting Decommission state. The customer must go to the kiosk andpresent their finger, remove the key, and access their container onelast time. Once that is completed and the key is docked at the kiosk,the container is placed back into the Available state.

Example 5

Suspending and Resuming a Container

When the need arises to halt access to a container and keep it in theRented state, the container may be suspended. The customer does not needto be present in order to suspend a container. Only administrators maysuspend or resume a container.

To start the process, click “Configuration” from the main menu andselect the tab labeled Container Management.

Suspending

Select a container from the drop-down list

Type a brief reason as to why the container is being suspended

Click the “Suspend” button

Resuming

Place a checkmark in “All Containers”

Select a container from the drop-down list

Type a brief reason as to why the container is being resumed

Click the “Resume” button

See SCREEN SHOT K, FIG. 20.

Example 6

Deactivating Container

In the event a container must be forcibly closed without the customerbeing present, the lock within the container must be deactivated. Thecontainer will have to be forced open and the current lock will nolonger function. This process cannot be reversed. The container must beforcibly opened and a new lock will have to be installed.

To start the process, click “Configuration” from the main menu andselect the tab labeled Container Management.

Select a container from the drop-down list and provide a reason for thedeactivation. Before you click on the “Deactivate” button.

Fingerprint verification must be made again. Follow the prompts asneeded (SCREEN SHOT L, FIG. 21).

Example 7

Adding a Co-Owner

In order to add a co-owner to an existing container, the owner must bepresent, and the co-owner must be already enrolled.

To begin, from the main menu click on the “Edit Customer” button. Next,the customer must be identified by clicking on the “Retrieve User”button. After identification has been made, click the Co-Owner tab.

The Currently Assigned Containers grid is populated with the containersassigned to the owner. Adding a co-owner may be performed on one or morecontainers. Select the “Add Co-Owner” container for the appropriatecontainer(s). Afterwards, click on the “Add Co-Owner” button.

Fingerprint verification must be made again. Follow the prompts asneeded (SCREEN SHOT M, FIG. 22).

Example 8

Removing an Owner

To begin, from the main menu click on the “Edit Customer” button. Next,the customer must be identified by clicking on the “Retrieve User”button. After identification has been made, click the Co-Owner tab.

The Currently Assigned Containers grid is populated with the containersassigned to the owner. Removing an owner must be performed on one (1)container at a time. However, removing multiple owners may be performedall at once. Click on the appropriate row within the Currently AssignedContainers grid. The co-owner's grid automatically populates with theexisting owners. Select which owner(s) to remove by placing a check inthe Remove Co-Owner column. Next, click the “Remove Co-Owner” button.(SCREEN SHOT N, FIG. 23).

Fingerprint verification must be made again. Follow the prompts asneeded. If the container has multiple owners, at least one (1) ownermust be present to remove another owner.

Example 9

Adding an Authorized User

In order to add an authorized user to an existing container, the ownermust be present, and the authorized user must be already enrolled.

From the main menu click on the “Edit Customer” button. Next, thecustomer must be identified by clicking on the “Retrieve User” button.After identification has been made, click the Authorized Users tab.

The Currently Assigned Containers grid is populated with the containersassigned to the owner. Adding an authorized user may be performed on oneor more containers. Select the “Add Authorized User” container for theappropriate container(s). Afterwards, click on the “Add Authorized User”button. (See SCREEN SHOT 0, FIG. 24.)

Fingerprint verification must be made again. Follow the prompts asneeded.

Example 10

Removing an Authorized User

In order to remove an authorized user, the owner must be present.

To begin, from the main menu click on the “Edit Customer” button. Next,the customer must be identified by clicking on the “Retrieve User”button. After identification has been made, click the Authorized Userstab.

The Currently Assigned Containers grid is populated with the containersassigned to the owner. Removing an authorized user must be performed onone (1) container at a time. However, removing multiple authorized usersmay be performed all at once. Click on the appropriate row within theCurrently Assigned Containers grid. The Authorized User's gridautomatically populates with the existing authorized users. Select whichuser(s) to remove by placing a check in the “Remove User” column. Next,click the “Remove Authorized User” button. (See SCREEN SHOT P, FIG. 25.)

Fingerprint verification must be made again. Follow the prompts asneeded.

Example 11

Renting a New Container to an Existing Customer

From the main menu click on the “Edit Customer” button. Next, thecustomer must be identified by clicking on the “Retrieve User” button.After identification has been made, click the Containers tab.

Two grids are displayed: Currently Assigned Containers and AvailableContainers.

To assign an available container to the customer, click “Select” withinthe appropriate row. As shown in SCREEN SHOT Q, FIG. 26, “Container 283”will be added to the customer's profile.

Click on the “Assign Container” button—fingerprint verification must bemade again by the customer. Afterwards, renewal terms must be defined.After the information is saved, Container 283's mode is set to AwaitingCommission. The customer must proceed to the kiosk, retrieve a key, andaccess the container.

Example 12

Updating Existing Fingerprint(s)

Customers may update their fingerprint templates at any time.

From the main menu click on the “Edit Customer” button. Next, thecustomer must be identified by clicking on the “Retrieve User” button.After identification has been made, click the Fingerprint tab.

To remove an existing fingerprint, click on the highlighted finger. Toadd a fingerprint, click on any finger and follow the standardenrollment process. Please refer to the Fingerprint Enrollment sectionfor details.

Once completed, click the “Save” button. See SCREEN SHOT R, FIG. 27.

Example 13

Adding a New Employee

After clicking the button on the main menu labeled New Employee, theemployee enrollment wizard is displayed. Click the “Next” button toproceed with the enrollment process. See SCREEN SHOT S, FIG. 28.

The following fields are available. See SCREEN SHOT T, FIG. 29.

Name: First, Middle Initial, Last

Universal Principal Name (UPN)

For Active Directory Integration

This field is read only

Employee Number

Pin Number

If a pin is desired, ensure “Use Pin” is checked

E-mail Address

Middle initial, employee number, email address, PIN number are alloptional fields.

The following permissions may also be designated when adding a newemployee (see SCREEN SHOT U, FIG. 30):

Administrator

Select this if an employee is to be an administrator within the VeraPassManagement Software

Kiosk Access

Select this if an employee is to perform maintenance functionality atthe kiosk

Add Employees

Determines the ability to add new employees

Edit Employees

Determines the ability to maintain existing employees

Temp Worker

Flags the employee as a temporary employee

Expires On

If the employee is a temporary employee, this is the date that theemployee's access is to expire on.

Key Duration (Minutes)

The number of minutes the key will operate before having to bereprogrammed. Not applicable in safe-deposit container mode.

To enroll a new employee's fingerprint, click on the appropriate fingerto enroll. You may enroll up to ten (10) fingers. Typical employeesshould have at least two (2) fingers enrolled. If the new employee isgoing to be granted Administrator permission, it is strongly recommendedthat all ten fingers be enrolled. See SCREEN SHOT D, FIG. 13.

Once the appropriate finger is selected, it must be presented four (4)times. If the fingerprint is read correctly, the appropriate number ishighlighted in blue (see SCREEN SHOT E, FIG. 14). Otherwise, a failurenotice appears and the finger must be presented again. Aftersuccessfully presenting the finger four times, the successful dialogfeedback is displayed. Click on additional fingers as needed.

To assign containers to the employee, place a checkmark in the Selectcolumn within the container listing (see SCREEN SHOT V, FIG. 31).Containers do not have to be assigned at this time. To complete theenrollment process, click on “Next” and then the “Finish” button on thefollowing screen (see SCREEN SHOT G, FIG. 16).

Example 14

Edit Existing Employee

To edit an existing employee, select a name from the drop-down list.Afterwards, the appropriate fields are populated. In SCREEN SHOT W, FIG.32, John Doe is loaded who is flagged as an administrator with kioskaccess. He is a temporary employee due to expire on Sep. 18, 2012. Hiskey duration is 500 minutes. He currently does not have access to anycontainers as the Current Access grid is blank.

Example 15

Configuration Area

Time Sync

The VeraPass kiosk requires a time sync server to ensure the date andtime are accurate.

Five (5) public time sync servers are defined within the database;however, depending on local firewall rules, use of public time serversmay not be allowed. Therefore, adding the institution's time sync serveris allowed. From the configuration menu, select the Time Sync tab.

To activate an existing inactive server, double click on the appropriaterow and change the desired fields below in the Details area. Click the“Save” button.

To insert a new time sync server, provide the host name (or IP address),port number (123 is standard), and a comment. Click the “Save” button.The next time the watchdog service tries to perform a time sync, thenewly added server will be used. Ensure only one (1) time sync server isactive in the system. See SCREEN SHOT X, FIG. 33.

Example 16

Configuration Area

Update Kiosk Software

Before starting the update process, you must have a security tokenissued by your installing supplier before starting the update process.

To remotely update the kiosk software, click the “Configuration” buttonfrom the main menu. On the Configuration page, select the Kiosk tab.

First, click on the “Stop Watchdog” button. Second, click on the “StopKiosk App” button. At this point, the kiosk is no longer running theapplication and will not accept fingerprint data from customers oremployees.

To begin the update process, click the “Update Kiosk” button. You'll beprompted to supply the security token and navigate to the new VeraPassapplication. Once the application has been updated, click the “RebootKiosk” button. The kiosk will reboot and automatically launch the newversion of software. See SCREEN SHOT Y, FIG. 34.

Example 17

Configuration Area

Update Database

Before starting the database update process, you must have validdatabase scripts issued by your installing supplier.

From time to time, updates to the database are necessary as theapplication evolves. As such, changes to tables and/or stored proceduresare required.

Click on the “Run Script” button. The application prompts you for thelocation of the script files to be executed. Once the script has beenexecuted, results are displayed. Once all scripts have been executed, itis recommended to restart the kiosk. You should refer to the sectionRestarting the Kiosk for detailed instructions. See SCREEN SHOT Y, FIG.34.

Example 18

Configuration Area

Restarting the Kiosk

To begin the restart process, click the “Configuration” button from themain menu. On the Configuration page, select the Kiosk tab.

First, click on the “Stop Watchdog” button. Second, click on the “StopKiosk App” button. At this point, the kiosk is no longer running theapplication and will not accept fingerprint data from customers oremployees.

The next step is to click on the “Reboot Kiosk” button.

Once the request to restart the kiosk is accepted, the managementsoftware will automatically close. The kiosk automatically starts theVeraPass application upon a successful reboot. See SCREEN SHOT Z, FIG.35.

Example 19

Configuration Area

General Kiosk Commands

Various troubleshooting items are available within the Kiosk tab. SeeSCREEN SHOT AA, FIG. 36.

Query Kiosk

The kiosk searches for installed components

Relay card

Serial Ports

Fingerprint Reader

Relay Card

Provides feedback for devices found

Watchdog Status

Provides feedback as to whether or not the watchdog service is running

Stop/Start Watchdog

Stops or starts the watchdog service

Kill Kiosk App

Only use this command if the “Stop Kiosk App” fails to stop theapplication.

Run Script, Update Kiosk, Reboot Kiosk

Please refer to the appropriate section outlining the use of eachcommand

Example 20

Configuration Area

Kiosk Log Files

For troubleshooting needs, the log files contain diagnostic data andgeneral feedback from the kiosk application. The log files do notcontain sensitive data—neither customer data nor encryption data aredisplayed.

Within the “Configuration” form, clicking on the Log Files tab bringsthe area into view. Next, click the “Retrieve Available Logs” button toretrieve the log files from the kiosk.

After the log file names are displayed, highlight the appropriate log toview and click the “View Log File” button. The current log file beginswith a tilde character “˜.” See SCREEN SHOT AB, FIG. 37.

Example 21

Configuration Area

Kiosk Advertising

The advertising pictures displayed on the kiosk may be updated at anytime. From within the “Configuration” form, click on the Advertising tabto display the picture controls.

Click on “Retrieve Images” to download the titles currently on thekiosk. To view the image, highlight the file and click the “PreviewImage” button. The preview is located on the right hand side.

To add a picture, click “Upload Image” and select a valid JPEG file fromyour workstation. At present time, only JPEG photos are supported.

To remove a picture, highlight the name and click the “Remove Image”button. See SCREEN SHOT AC, FIG. 38.

Example 22

Kiosk Functionality

Administrative Functions

The kiosk's administrative functions are:

Exit Configuration

Places kiosk back into service

Close Application

Closes VeraPass application

Restart Device

Restarts the kiosk

Update Software

Provides ability to update software. Recommended procedure is to followthe “Update Kiosk Software” within the EMS software.

Test SMTP

Sends a test message via SMTP for diagnostic purposes

Open Door

Only available within the SDB mode

Opens the day-gate into the SDB area

Remove Key

Unlocks the key retention unit, KRU

Open Unrented Container

Only available within the SDB mode

Watchdog Status

Provides feedback on the status of the watchdog service

Toggle Watchdog

If the watchdog service is stopped, it starts it. If the service isstarted, a request to stop the service is sent.

See SCREEN SHOT AD, FIG. 39.

Example 23

Miscellaneous Items

Key Management

Adding a key to the VeraPass system requires the key and encryption datafrom the installing supplier.

Only administrators can add and deactivate keys from the system.

Add New Key

Provide Key Serial Number, SN

ESID

Encryption data from supplier

Short Description of key

Click “Add” once the information is provided

If the supplier provides the encryption data within an external file,the file may be imported by selecting the “Import” button.

Deactivating a Key

Select a key from the drop-down list on the left-hand side

Provide a reason for the deactivation

Click on the “Deactivate” button. This process is not reversible. SeeSCREEN SHOT AE, FIG. 40.

Preferred embodiments of the invention provide a method and apparatusfor securing access to a securable item. The secured area may be acontainer, safe, control, or other item. According to some preferredembodiments, the apparatus and system may include software, such asmanagement software, a Microsoft SQL RDBMS, a display screen (preferablya touch screen with end user interfaces), at least one certifiedbiometric reader, high security programmable keys insertable intocorresponding lock cores, and at least one additional reader for readinga credential, such as for example, an electronically readable card. Inone preferred embodiment of the invention, the high securityprogrammable keys and lock cores are Medico NexGen XT cylinders, coresand keys. According to these embodiments, the “software” may comprisecomputer programs that process data from one or more of a biometricreader or input device, such as a biometric fingerprint reader, anelectronic reader, an input such as an input of a PIN, and one or moreprogrammable electronic keys, such as electronically programmable keys18, which operates to achieve the security function of the invention.

Referring to FIGS. 41-44, an alternate embodiment of a terminal 120manifesting aspects of the invention and used in the course of practiceof the invention is shown in a perspective view. The terminal 120, whichalso may be referred to as a kiosk or data processing machine, is shownconfigured with a fingerprint reader 134, and an electronic reader 140.The terminal 120 includes a screen 128 and a key retention component,such as, the port 130. Although preferred embodiments of the terminal120 are not shown with a key retention unit for housing a plurality ofkeys as part of the device, according to some alternate embodiments akey retention unit for housing keys may be provided (as shown in FIGS. 4and 6 in regard to the terminal 20). According to preferred embodiments,a key retention unit may be separately provided. In the particularterminal 120 illustrated in FIGS. 41-44, a key retention port 130 isprovided as a part of the terminal 120. The key retention port 130preferably is configured to accept keys, such as electronicallyprogrammable keys 18 shown in FIGS. 5 and 8. The terminal 120 also isshown with a plurality of feet 129 provided at the bottom of the unit tofacilitate stabilization on a surface.

Terminal 120 further includes a biometric sensor, preferably afingerprint sensor, which may be positioned as illustrated at 134 inFIG. 43. Alternatively, the biometric sensor, such as the fingerprintsensor 134, may be configured as a separate unit, removed or removablefrom the terminal 120, but located in close proximity thereto andelectronically connected to the software as is terminal 120 for displayof the relevant screens provided by the software on screen 128 ofterminal 120. The biometric sensor 134 is illustrated according to oneembodiment, configured to sense a fingerprint through a reading window134 a (FIG. 41).

Terminal 120 preferably includes a further authentication mechanismcomprising an electronic mechanism 140. The electronic mechanism 140 isconfigured for reading a credential, such as, for example, anelectronically readable identifier or card that can be authenticated.The electronic mechanism 140 preferably comprises an electronic reader.

Terminal 120 preferably includes a key retention port 130 comprising areceptacle for at least one programmable electronic key 18. A user goesto the terminal 120 and places an electronic key 18 into the port 130.When the user identifies himself or herself by some biometric means atthe terminal 120, preferably by supplying a fingerprint read by thefingerprint reader part 134 of terminal 120, the electronic key 18placed within the port 130 is programmed to have the user accesspermissions thereon and is released. The user is permitted to use thekey 18 to open a lock that is secured with the user's electronic key 18.According to a preferred embodiment, a schematic illustration of asystem for managing access to a secured structure is illustrated in FIG.45. A user 500 is represented and accesses the terminal 120, which, inthis illustration, is referred to as a kiosk (designated as an “MFP™kiosk”). The terminal 120 is shown as the hardware that carries out theuser authentication key programming. Once the user is verified with thebiometric identification, and possibly one or more additional factors,such as a PIN and/or credential, the key 18′ is programmed at theterminal 120, and, upon completion of the programming, is released fromthe terminal 120 to the user 500. The key 18′ is provisioned to accessthe designated levels of access of that user. In this example, the user500 may use the provisioned key 18′ to access structures which mayinclude lockers, computer racks, containers, doors, pedestals, safes,and other items and objects.

Referring again to FIGS. 41-44, the terminal 120 is shown having ahousing 121 for housing the components. The housing 121 may be made ofany suitable material, including plastic, metal, or combinationsthereof. According to a preferred embodiment, the terminal housing 121may be constructed of precision-formed, powder-coated metal. Theterminal 120 is configured with an anti-tampering mechanism, which,according to a preferred embodiment, comprises an internal tamperswitch. The terminal 120 preferably is assembled with safety screws, andmay be securely mounted on walls or desks for security purposes. Asillustrated in FIG. 42, the terminal has mounting means comprising apair of mounting holes 122,123 provided on the back panel 124 of theterminal 120.

The terminal 120 illustrated in FIGS. 41-44, is configured to supporttri-factor authentication, consisting of biometric, PIN and/orcredential enrolment and usage. The PIN, often referred to as a personalidentification number, may be any suitable string of numbers, letters orcharacters, and may comprise a passcode or other reference. The terminal120 is shown having a touch screen 128, which preferably is ahigh-resolution, color touchscreen. The terminal 120 is configured withsoftware containing instructions to generate easy-to-use instructionsand guidance displayed on the screen 128 for users, administrators andothers using the system.

As shown in FIGS. 41, 43, and 44, louvers 150,151 are cut into the sidewalls 125,126, respectively, to allow for sufficient passive air flowinside the terminal housing 121. According to one exemplary embodiment,the boot/storage device for the terminal 120 may utilize mSATAtechnology. A hardware processing unit, such as an internal processorhoused within the housing 121, may utilize a quad core, e.g., running at2.0 GHz or greater with fanless cooling. According to an exemplaryembodiment, internal memory is provided, which, for example, may be 8GB. An operating system is provided to manage the operations of theterminal 120. According to an exemplary embodiment, an operating systemmay be Microsoft's Windows 7 Embedded Standard (SP1 or greater) capableof operating in either 32-bit or 64-bit configurations. The terminal 120preferably has one or more external connections, which, for example, areillustrated comprising a power cable port 145, a network jack 146 and anoptional USB port 147. In the preferred embodiment illustrated, Wi-Fi,Bluetooth, NFC or other wireless connections are not supported forsecurity purposes. However, according to some alternate embodiments,wireless communication hardware may be included as part of the terminal120. In addition, the terminal 120 may be configured with othercomponents, such as, for example, microprocessors, controllers,microcontrollers, and memory, including random access memory. A powersupply may be provided to connect with the terminal power cable port145. The power supply may provide a suitable voltage, current or sourceof power to operate the terminal 120 and its components.

A programmable key 18 is docked into the terminal 120 and locked inplace at the key retention port 130 by the software instructing the keyretention mechanism to actuate and retain the key 18 on the port 130,preferably, until programming has completed, thus ensuring properoperation of the programmable key. Alternatively, the software may beconfigured with other instructions for release of a key or to preventlocking of a key, such as, for example, where the key placed on the port130 is low on charge (or fails to meet a charge threshold), or othercondition. According to one preferred embodiment, the method ofauthentication may be carried out by having users authenticatethemselves on the terminal 120 through one or more validation means andthen, by means of the touchscreen interface, select which areas theyrequire access to. According to preferred embodiments, the terminal isconfigured to display only authorized areas for that user. Once the userhas passed the validation requirements, and has been validated throughthe validation means (e.g., biometric identification, credentialrecognition and/or PIN), the authorization data is downloaded to theprogrammable key 18, and then the key 18 is unlocked, allowing the userto remove the key from the key port 130 of the terminal 120.

According to one exemplary embodiment, the system may be configured sothat after a certain (administrator configurable) amount of time hasexpired, the programmable key 18 is rendered inoperable and must bereturned to the terminal 120 in order to receive new programming.According to one preferred system configuration, if a key 18 is returnedto the terminal 120 before the authorized time has expired, the key 18will then be rendered inoperable upon docking with the terminal 120. Inthis manner, any compatible programmable key 18 may be used with theterminal 120. The system, method, and devices, such as the terminal 120,implement provisioning of a key based on the profile of each individualuser (who is validated) and not a specific key.

According to preferred embodiments, the system, method and device, suchas the terminal 120 shown and described herein permits useradministration to be configurable via independent client software thatmay be installed on a modern Windows PC. The PC preferably has networkconnectivity to a centralized repository or directly to the terminal 120being configured. The system preferably provides for configuration ofusers through an interface. Preferably, the user interface providesgraphical screen images that include depictions and text, on theterminal display 128 with instructions for entering information, and/ormaking selections. The interface is clear and intuitive, and preferablycomprises a modern graphical interface. The interface may be customizedfor each administration/user requirement, and is powerful enough forgranular specificity of each user's areas of control and access. Thesystem may be configured through the implementation of client softwarethat resides on a PC (or other computing component), that may be linkedfor communication (such as over a network), to address the terminal 120.The terminal 120 includes software which preferably may be configuredwith menus and graphical displays, so that information may be generatedand displayed on the terminal display 128, and so that information inputthrough the display 128 (e.g., touch screen input, or other input), thebiometric reader 134, the electronic reader 140 and key itself via thekey port 130, may be read, stored, processed, reported and/orcommunicated to the remotely situated PC or other computing component.

The terminal 120 may be configured with software, firmware or the like,which implements security policies. Security of the firmware andsoftware preferably is implemented by configuring the security policieson the terminal 120. Examples of preferred security policies that may beutilized within the terminal 120 include the following: when firstinstalled, configuration tools are not allowed to add “OptionalPackages”; MSMQ is utilized for queuing events when network connectivityis unavailable; SQL Browser service is disabled; end users areencouraged to install their own end-point security software; terminals120 may be joined to domains, if required.

According to preferred embodiments, the terminal 120 is configured toactively monitor the USB bus for changes, and if changes are detected,the terminal 120 may be configured to implement a response, such as, forexample, sending an alert, shutting down the system or terminal 120,recording the change, or combinations of these. According to somealternate embodiments, additional security may be implemented byconfiguring notifications for events relating to a condition of theterminal 120, or a security condition, disabling USB devices, removal ofexternal USB connectors from the terminal 120. The terminal 120 may beconfigured to provide a response to terminal activity, includingactivity that may relate to security or other concern. For example,alerts, such as, for example, security alerts, as well as health alerts,errors and unsuccessful events, may be centrally stored forimplementation into existing 3^(rd) party platforms, and may becommunicated from the terminal 120 to a remote component (e.g., anetwork PC) as they occur. According to preferred embodiments, theterminal 120 is configured with system software that requires theterminal 120 to auto-logon, as there is a user interface. The system,method and device, such as, the terminal 120, is configured to ensurethat the system application is running. For example, if the systemapplication operating on the terminal 120 were to crash, a softwarewatchdog configured into the software of the terminal 120, willautomatically re-boot the terminal 120 to ensure the desktop appearingon the terminal screen display 128 (e.g., from remaining information atthe time of the crash) is not viewable to an end user. According topreferred embodiments, the security is further enhanced by the terminal120 being configured so that the terminal start menu is disabled whenthe terminal 120 launches the operating system. In addition, accordingto preferred embodiments, within the desktop, right-click action isdisabled.

According to preferred embodiments, the operating system is configuredto disable or remove functions and features that would otherwise permitaccess and susceptibility to system changes. For example, as a furthersecurity measure, during initial configuration of each terminal 120, thefollowing items from the OS, if they are present, preferably areremoved, beginning with the “Application Compatibility” template:Browsers (e.g., Internet Explorer), Devices and Printers (e.g., Fax andScan), Fonts (e.g., Japanese Fonts, Japanese Supplemental Fonts, KoreanFonts, Korean Supplemental Fonts, Middle East, South East and SouthAsian Fonts, Middle East, South East and South Asian Supplemental Fonts,Simplified Chinese Fonts, Simplified Chinese Supplemental Fonts,Traditional Chinese Fonts, Traditional Chinese Supplemental Fonts),Graphics and Multimedia (e.g., All Premium Codecs (these require speciallicenses), Media

Player), International IME (e.g., IME Japanese Support, IME KoreanSupport, IME Simplified Chinese Support, IME Traditional ChineseSupport), User Interface (e.g., DVD Maker), Help (e.g., RemoteAssistance), Microsoft Speech API (e.g., Speech Chinese Simplified,Speech Chinese Traditional, Speech French, Speech German, SpeechJapanese, Speech Spanish, Speech UK English, Tablet PC Support, MobilityCenter and Slideshow, Photo Viewer).

The system, method and devices, such as, the terminal 120, may collectand store data, and may be configured to communicate and transmitinformation to a remote location. For example, the system and terminal120 may be configured to provide or operate in conjunction with acentralized database (repository) for storing data consisting of, butnot limited to, users, schedules, privileges, locks, keys, history,audit events and history events. One configuration provides a repositorythat may be located at the end-user's site, while another configurationprovides for a third-party or terminal provider to host the information.

The system is configured to process and manipulate information togenerate reports and evaluate the information. For example, reports maybe customized within the management system. History events, lock audits,operator activity and other user centric reports may also be generatedor made available. For example, reports may be generated and exported toExcel format. Customizable reports may be written directly against therepository for greater integration into existing environments. Thesystem preferably may be updated to receive software upgrades, asrequired. The system preferably may be configured with active directoryintegration. For example, the system may be configured to run ActiveDirectory Domain Services (AD DS), and to authenticate and authorizeusers and computers in a Windows domain type network by assigning andenforcing security policies for the computers and installing or updatingsoftware. The terminal 120 and system for authenticating users andregulating access to locks for electronic keys may be coordinates tooperate with an Active Directory service. For example, when a user logsinto the terminal 120, the terminal 120, where it is configured as partof a Windows domain, may check the submitted password (or otherinformation, e.g., credential biometric identifier) and determinewhether the user is a system administrator or other type of user (e.g.,standard user). According to one example, third party software, such asSAP®, for example, may be supported for importing users as well as userauthentication. Active Directory integration and 3^(rd) party fieldswithin Active Directory (SAP, for example) may be supported forimporting users as well as user authentication.

The system, method and device, such as the terminal 120, preferably donot require a network connection to operate. According to someembodiments, where the terminal 120 is configured to connect and operateon a network, the following additional features may be implemented, suchas, Active Directory Integration (if applicable), Time Sync, EmailAlerts, Database Backup, Enterprise System Administration, and HealthMonitoring. According to a preferred configuration, examples of portsthat may be configured are assigned to include the following:

Ports SQL Operations 1433 System Logs 137, 138, 139, 445 Database backup137, 138, 139, 445 Email Alerts 25 (default value - user configurable)Remote Refresh 8000 Windows Update 8530 - (customizable using GPO)

The system, method and device preferably are configured to generate abackup of the information and terminal settings. For example, backupplans are customizable within the terminal 120. The database may bebacked up locally, and the file may also be moved to a file serverlocation. User name, password, domain, backup location, time of backupand days to run are configurable within the management system. Aterminal 120 as well as a computing component in communication with aterminal 120 may exchange information, including where the terminal 120provides backups to the remote computing component (e.g., a remote PC).Referring to FIG. 47, an exemplary screen shot 91 illustrating a backupsettings window is shown, indicating the times to back up the files, thefile storage location, and the login information. Automated backupsettings are shown in FIG. 47.

The screen shot 91 of FIG. 47 may be generated with software provided ona computing component that is linked or associated to communicate withthe terminal 120. The tabs appearing on the screen shot 91 shown in FIG.47 provide preferred options for managing the system. The management ofthe system preferably includes the abilities to manage users, what usersmay access, for how long, what factor or factors are required in orderto verify a user.

As discussed, the terminal 120 (FIGS. 41-44) is configured to activate,control and download data from electronically programmable keys 18 whichare mechanically locked/unlocked to the terminal 120 by a unique keyretention mechanism which minimizes or eliminates the possibility of akey being removed from the terminal 120 before programming hascompleted. The key retention mechanism preferably is provided at the keyretention port 130, and secures the key 18 thereto. The programmablekeys 18 are then used to activate, control and download data fromelectronically programmable lock cores, such as, for example, the lockcores 14 shown and described herein.

The preferred programmable electronic key 18 fits into terminal 120 andspecifically into the key retention port 130. The key 18 may be chargedor receive power whenever it is in place within the terminal 120 keyport 130. According to some embodiments, keys 18 may be placed on a keybank, which may be provided separate from the terminal 120, and retainsa plurality of keys 18 and charges then simultaneously. A rechargeablebattery within the key 18 assures that the key 18 is always fullycharged when it is positioned on the key bank. Preferably the terminal120 may determine that a key 18 does not have a suitable charge and maytherefore cease commencement of programming the key 18, in which case,the user may return the key for charging to a charging bank or unit, andmay select another key for use. According to some embodiments, theterminal 120 may utilize power to power the key so that the key 18 maybe programed for the user. According to some alternate embodiments, theterminal 120 may be configured to determine the suitability of the keycharge for intended use or uses. For example, the terminal 120 may beconfigured to refuse initialization of a key 18 that does not have asuitable charge, or a minimum charge level, or, alternatively, the key18 may be charged at any charge level.

Authorized users, who may be customers and/or authorized employees of acompany or supplier, must present their previously enrolled biometricidentifier, typically a fingerprint, in order to activate and use thekey 18 provided at the terminal 120. The terminal 120 preferably isconfigured with an input mechanism for inputting information, includingmaking selections. The input mechanism is shown comprising a screendisplay 128, which may be a touch screen, or the terminal 120, accordingto some embodiments, may receive inputs from an input device (e.g.,mouse, pointer, stylus). The user may be required to make an input inorder to activate the key 18. The terminal 120 preferably includes anelectronic reader 140, and accordingly, the terminal 120 may require aninput to be received from the electronic reader 140 in order to activatethe key 18. According to a preferred embodiment, the factors for keyprovisioning may require a user biometric identifier at the biometricsensor 134 to make a biometric identification of the user, make an inputon the display screen 128, and make an input provided at the electronicreader 140.

Once activated, the key 18 may be removed from the key retention port130 of the terminal 120 by the user (or by an authorized employee) inorder to gain access to the secured containment (such as a container,cabinet, or other secured area or item) to which that user is authorizedto have access. Preferably, the key 18 remains programmed for apredetermined amount of time and is rendered inactive after returned toa key retention area, such as the key retention block where keys arehoused for charging. Alternatively, the key 18, when expired orinactive, may be returned to the terminal 120 for reprogramming for thatuser, or for an additional user. According to some embodiments, the key18 may be deactivated after use for one or more use accessions (e.g.,where a key may be used one time to open a first cabinet, and anothertime for a second cabinet, and thereafter is deactivated).

When the key 18 is rendered inactive, it is rendered inactive for thatparticular user. For the user to reactivate the key 18, the user mustplace the key 18 back into the key retention port 130 of the terminal120 and reenter the factor requirements, including the user's biometricidentifier, card and/or screen inputs, for identification of thecustomer by the software. The software permits access only by a specificuser to a secured container or other item based on one or more, andpreferably a combination, of that user's biometric identifier, theuser's electronic credential, and a screen input. The software does notpermit access to a secured item or container by a user using theprogrammable electronic key 18 based on what the user might have in theuser's possession, such as a key fob or card, or what the customer mightknow, such as a personal identification number code. According topreferred embodiments, the key fob, card, personal identification numberor other factor, may be utilized in conjunction with the biometricidentifier. As discussed herein in connection with the terminal 20,while fingerprint is the preferred biometric identifier, hand geometry,facial recognition, eye iris characteristics or DNA characteristics mayalso be used in connection with the terminal 120.

Regarding the terminal 120, the user may conduct enrollment of theuser's fingers as discussed herein in connection with the reader 134 ofthe terminal 120.

According to some preferred embodiments, the user is a company employeewho has access to company vehicles. In order to obtain access to thevehicle, the user must obtain the vehicle key (card or other itemrequired to start and operate the assigned vehicle). The vehicle key maybe maintained is a secured container or location which is secured withan electronic key 18 and a programmable lock 14, and the user may gainaccess to vehicle key by first activating an electronic key 18 throughthe terminal 120 which will open an electronic lock 14 that secures thevehicle key in a location. The user may be identified as a driver, anduser permissions for the vehicle key access (through the lock 14), aswell as access to other areas and items secured with other electroniclocks may be programmed on to that user key 18.

For example, in accordance with the embodiment, the user obtains a key18 from a key storage location, such as a key bank, and the usertherefore, inserts the key 18 into the key retention port 130. The userpreferably presents the user's fingerprint to the sensor 134 of terminal120, and places the electronic key 18 in the key port 130 of theterminal 120, and presents the user credential to the terminal reader140, enters a personal identification access (PIA) string on theterminal screen 128, or presents the user's fingerprint to the sensor134 and does both (i.e., presents the user credential to the terminalreader 140, and enters a PIN). Although the PIN is referred to herein,the PIN may be a personal identification access string (PIA-string) thatincludes numbers, letters and characters, or alternatively, may compriseanother input that the user provides. In the embodiment discussed above,where the user is renting a container, the user takes the electronic key18 and accesses a container using the appropriate electronic key 18.After opening the container and re-docking electronic key 18 at terminal120, the container is considered to be rented.

Users and customers may edit and save their information, such as when auser's or customer's address changes. The changes may require thefingerprint or other biometric identifier for that user be presented tothe terminal 120, as well as an electronic credential that may be readwith the reader 140, and a PIN that may be entered.

To decommission a container, as discussed above, a user or customer maybe required to present his or her finger for verification of thecustomer identity, as well as in connection with the electronicallyreadable credential and/or PIN. Suspension of a container may beimplemented as described herein. To put the container back into anactive state, a user, such as, a supplier representative who is verifiedby one or more, or a combination of all factors, including as afingerprint identity verified representative, who is in possession of acredential that may be read by the reader 140, and who enters anappropriate input on the verification screen of the display 128. Inaddition, co-ownership of c container and container access may becarried out by adding a co-owner, as discussed herein, wherein a user isverified, and factor verification (e.g., of one or more of fingerprintidentification verification, credential verification, and inputverification) is performed again, as set forth above.

The terminal 120 preferably includes software that is configured toaccess and obtain inputs from a credential provided to the employee oruser that the user presents to the reader 140 of the terminal 120. Forexample, an electronically readable card, such as a key fob,magnetically readable card, RF readable card, or other detectible item,may be provided to a user, and may be required to be presented to theterminal 120 in conjunction with the user biometric information in orderto verify a user. In addition, preferably, the software also isconfigured to access and obtain inputs from a personal identificationaccess string, such as a PIN (or PIA), and the user may be required toinput a suitable input, such as, for example, a PIN (or PIA). As usedherein, the PIN may be a string of inputs, such as characters. Forexample, although referred to as a PIN, it is understood that the PINmay be characters or strings that contain components other than numbers.In those implementations, the display screen may be provided to generatea keyboard or indicia for selecting the characters to be input.

According to a preferred embodiment, the system is configured toidentify a user by a fingerprint identification at the terminal 120, asdiscussed herein. According to preferred embodiments, the terminal 120includes an electronic reader 140 that is configured to read acredential. The credential preferably may be associated with a user, andtherefore, user biometric data information. A PIN or accessidentification input (PIA) also may be required in order to obtainverification. For example, in the event that a user would provide theuser identification credential to another, and provide the user's accesscode or PIN (or PIA), (which, for example, a user may do intentionallyor unintentionally where it is stolen from the user), that other who isin possession of the user credential and user access PIN (PIA), wouldnot be able to gain access. The unauthorized individual however,although possessing the credential and access PIN, does not have theuser biometric information and therefore is denied access.

In addition, the credential may provide further information about theuser, and the system may store and retain the history of the terminalusage, including attempted access, attempts to provision a key for alock not authorized, inputs that identify a user PIN or user credentialat a terminal.

Embodiments of the system, method and device are configured to provisiondifferent keys for different users, where the different users havedifferent levels of authority (e.g., authorization access), along withthe capability to require multiple credentials for assigningelectromechanical lock cores based in the individual user's uniqueprofile. The terminal 120 may be configured to implement theprovisioning of keys for the unique individual user profile, as well astriggering actuations and events based on the usage of the terminal 120,keys 18 and lock cores 14. For example, according to some embodiments,the terminal 120 may be provided with a traditional relay card so thatdry contact open/close relay outputs may be programmed within associatedsoftware, such as, for example, management software, to trigger based onan event at the terminal 120. According to one exemplary embodiment, forexample, the terminal 120 may be programmed to open or close a specificrelay each time a key 18 is programmed that will trip a camera system toimplement an action, such as, to tag recorded video or to trigger anaccess control system to open a particular door or tie into any thirdparty system that can operate a dry contact.

According to some embodiments, the terminal 120 may be configured withsoftware to implement pro-active exception reporting. Each terminal 120may be provided with software that contains instructions to record andstore event histories. The histories preferably may be stored on theterminal 120 (e.g., on a storage element, such as, for example, a harddrive or flash drive). Event histories also may be stored at a remotelocation, such as, for example, a corporate repository. The system maybe configured to utilize terminals 120 which are configured tocommunicate information (including histories) to a remote computingcomponent (such as a remotely situated server). The terminal data, suchas, event history, is readily available and may be mined from theterminal 120 on an as needed basis. According to another configuration,the system may be configured to have the terminal 120 push all data, orcertain of the pre-defined data elements, to a remote component, suchas, for example, the corporate server computer. The system may provideuser configurable selection options for determining which information isdesired to be communicated from the terminal 120, including thefrequency of the information, real-time (e.g., as the data is obtained),delayed (e.g., once a day, or once an hour), or event-driven (e.g.,where a user response or past or present action triggers an alert). Forexample, user-configurable exception reports may be communicated, forexample, by being pushed to an email distribution list on a nearreal-time basis (for example, when a key is returned to the terminal 120and/or at a specific time of day). Some examples of exception reportsmay include keys not returned to the terminal 120, cabinets not locked(proper electronic lock cylinder required), key spent too long of timeat a container or not at a container long enough, locks not touched (nokey presented into lock), attempted opening of containers not assignedto the key (or user), as well as other actions of interest that may becoordinated in connection with a key and lock access information.

The system, method and device may be configured to implement surveys.According to some embodiments, the surveys may be customizable andpushed down to specific user groups or to an entire user group, and maybe updated and changed within the management software by people with theauthority to do so. The survey results may be compared with requirementsof the survey presenter (who may be the owner of the terminal system, anorganization or company, employer or other relation to the surveyeduser) in order to determine whether the survey results fall within aparticular parameter of the survey presenter. Some examples of activitythat the system may implement in conjunction with survey results mayinclude, simply recording the answers (the data) for later mining (use)and program the key as usual; not program a key and return the user tothe start of the process (e.g., via a the terminal menu screen) and letthe user know that the user's answers fell outside of the requiredanswers; program a key but send an alert out, for example, to the user'ssupervisor or to a distribution list if the answer is a particularresponse or falls outside of the parameters; or program the key asnormal because all answers fall within the requirements. Other examplesof actions that may be implemented include if the survey is ignored forone or other predetermined amount of time the system may be instructednot to program a key for that user because the user did not answer, andthe system may further be configured to send an alert. Another action inresponse to user survey inputs may be for the terminal to continue asusual with or without the survey being completed.

The terminal 120 may be provided with software configured withinstructions to generate inquiries or survey questions to a user. Thesoftware may be manipulated through the terminal 120 or through the useof a remotely situated computing component, such as a server, thatcommunicates with the terminal 120 to manage the terminal 120. Themanagement of the terminal 120 may involve arranging the information tobe displayed and collected, as well as retrieving information from theterminal 120. The terminal 120 may be provided with user permissions andassociations for access to one or more locations, containers, locks orother items. The user permissions may be provided directly on theterminal 120 or according to some other embodiments, may be communicatedto the terminal 120 from another computing component (e.g., such as aremote server). The terminal 120 preferably is configured to identify auser through the factor identification (e.g., biometric identification,credential and/or PIN), and, when the terminal 120 has identified auser, the user association data may be used to implement further stepsto permit the user to have access to program a key, to deny programmingof a key, or to limit programming of a key. According to some preferredembodiments, upon identification of a user, the user associationinformation is implemented to generate options for that user. In someembodiments, the options include a survey which may require the user toperform a task (which may be monitored), require the user to respond toone or more inquiries, or require some other input or operation from theuser. For example, an identified user may be assigned a user group ordesignation, such as a driver group, and the terminal 120 may beconfigured to query the driver group users (upon identification) as to acondition of a vehicle (e.g., whether it has a full tank of gas, isclean, or is loaded with inventory). The terminal 120 also may beconfigured to identify user data, and, upon identification of a user,may check for outstanding conditions for that user. The terminal 120 mayidentify a license expiration, and require the condition be remediatedbefore the identified user is provided with access to a programmed key.The terminal 120 may generate an input screen that is linked to the userlicense data, and may provide the user with the ability to enter intothe screen, updated license information. This may be done as a conditionto provide the user with a programmed key, or may be done as a conditionto provide the user key with certain access levels (e.g., such as accessto the vehicle key or key locker).

The system, method and device may be utilized in connection with avariety of organizations and users. For example, the system, method anddevice may be configured for use with traditional retail type customers,including, anchor stores, large/small chain stores, boutiques,convenient, fast food type stores and the like. The system, method anddevice may be utilized for pharmacy or retail drug stores includingpharmacy chain stores. Organizations that utilize the electronic keysand lock system may include logistics firms and industrial typecompanies. Governmental organizations also may utilize the system,method and device to provide secure access for different users havingdifferent access permissions. The organizations may implement the systemwhere access to a container or other item is regulated and whereinformation in regard to the access events, or as a prerequisite toaccess permissions (or denials), is obtained. The information may becoupled with usage data, such as, for example, where the key usage, suchas, key and lock accessions, time of accession, durations, and the like,may be utilized and coordinated to make determinations for associatedalerts or other actuations, including regulations of the key and/or lockpermissions and attributes (or further regulations of a key alreadyprogrammed for access).

According to some embodiments, the terminal 120 may be managed by theterminal owner or operating organization to present a survey to a userwho is presenting a key to the terminal for lock access programming.According to some embodiments, the terminal may be programmed with anoption to go to or not go to a survey, as the terminal owner oroperating organization desires. Preferred embodiments provide a surveythat may include queries that include multiple choice responses as wellas yes/no questions. The terminal preferably may be configured toprovide the survey queries, as the terminal owner or operatingorganization desires. A terminal interface is provided for providingprogramming, including queries that are stored and displayed when a useraccesses the terminal to program or actuate a key. The survey mechanismof the terminal preferably includes software with instructions forproviding the survey queries, and for coupling the responses with anaction. The survey data may be mined for actual installs of the system,a lock cylinder or key actuation. For example, responses to a survey maybe ascertained and evaluated by comparison to a threshold orpredetermined response value, and the value may be used to actuate atrigger or other action. The action may include regulating a key access(e.g., to one or more lock cylinders), or regulating a portion or otherlimitation or condition of that access.

Example 24

One example of a survey involves a company querying an employee who isprogramming a key.

One exemplary survey is set forth below:

Question 1: Did you complete the pre-opening routine as detailed inCompany Handbook? (see FIG. 54)

-   -   Yes or no (yes continues to next question, no does not program        key—tells them why and returns to main menu)

Question 2: The store is clean, neat, orderly and ready to open

-   -   Strongly agree    -   Agree    -   Disagree    -   Strongly disagree

(See FIG. 55)

Question 3: Do you have a valid driver's license?

Yes or no (same as above yes or no)

(See FIG. 56) EXAMPLE 25

Retailers

In retail applications, the terminal, such as, for example, theterminals 20,120 shown and described herein, may be placed in a suitablelocation where personnel may access keys and program the keys using theuser's biometric identifier and one or more other credentials (e.g., aPIN or electronic card). The retail establishment may utilize electroniclock cores to secure access to locations, items, hardware, storage andinventory locations. For example, the electronic lock cylinders may beused in conjunction with one or more electronic keys to regulate accessto office doors, display cases, storage lockers/cabinets, ITclosets/rooms/racks, filing cabinets, loading docks, personnel lockers,cash rooms, and other locations and structures.

Example 26

The system is implemented in a jewelry store. The electronic locks maybe installed to control access to jewelry cases. One or more terminalsmay be located within the jewelry store. The users may have shifts wherethe user is present at designated time intervals. For example, a useremployee's shift times may be coordinated with the user access to thejewelry cases. For example, where the user has activated a key, the keymay access the jewelry case for the duration of the user's shift. Inaddition, the key may be programmed, when actuated, to expire at theconclusion of the shift, thereby preventing access to the jewelry caseafter the shift time. Alternatively, according to some otherembodiments, the user key, may be deactivated for a jewelry case at thetermination of the user's shift, but may remain active for one or moreother uses, e.g., operation of security system or closure, such as analarm or roll-up doors. The system may be used to track accesses byindividuals having access to the jewelry cases, and other uses where thekey provides access through an electronic lock for that user. Theterminals may be configured to obtain data and conduct productacceptance analytics. The key programming may be coordinated with accessoperations such as safes, roll-up doors, or bars, door locking or alarmsystems. The terminal may be provided on site, at each jewelry storelocation for programming keys that different employees use. The users ofthe keys also may be provided with an electronic credential which theuser presents to the terminal (reader) for verification. The biometricidentification of a user may be one factor for verification, while anelectronic credential may be another. A further PIN or code may berequired by the user. The terminal may be configured to require an inputfrom the user (e.g., on the touch screen), and the receipt of the properinput provides a further verification. According to preferredembodiments the personnel may be required to provide a biometricidentification and one or more or both, an electronic credential or PIN(access code). The user key may be programmed to open or operate thoseelectronic cylinders to which the user is authorized to access. In theexample where use of a terminal is in the jewelry store, monitoringinputs may be done by uploading the access information stored in theterminal at the physical terminal, or may be done through acommunication link from the terminal to a remote computing component.The terminal also may be provided to upload information at a specifictime. According to preferred embodiments, the key may retain theinformation, even when it is no longer active for a particular user. Inthis manner, the key, when placed in the terminal (even by another userwho has selected that key from the key holding location, e.g., a keybank, charger, etc.), is read by the terminal, so that the informationfrom the prior user (including, cylinders/locks accessed, or that wereattempted to access, dates and times of access, as well as, operationsof doors and safes (i.e., opening, closing), may be retained. Ininstances where the jewelry store is a single chain store, a pluralityof terminals (at least one at each store) may be provided and theterminals may communicate information to a central repository (which maybe done through a communication linkage, or by uploading the terminalinformation).

Example 27

Convenience Stores

The system may be implemented in a convenience store operation, wherethe key may be programmed to regulate user access to applications suchas, for example, cash lockers, cigarette stamps, checkout counters, fuelislands, industrial process equipment, electrical/mechanical boxes, mandoors, IT racks, etc.

Example 28

Pharmacies

The system may be implemented in a pharmacy, where the key may beprogrammed to regulate user access to areas such as, for example,storage lockers, man doors, checkout counters, IT closets and racks,etc. The eCylinder or electronic lock may be provided where a user keyaction is required to unlock or otherwise conduct an operation(actuating an alarm, operating a switch for a door closure, and thelike).

Example 29

The system, method and device may be used to provide regulation ofperimeter doors of a building, such as a warehouse, store, restaurant,gas station, or other establishment. For example, some users may haveaccess to a cash register by the programming of the user key uponverification of the user's biometric information, and PIN or electroniccredential (or all three) at the time the user is verified at theterminal. Another user may be verified, but the verification may onlyprovide that user with access to a storage closet for supplies, and notthe cash register.

Example 30

In this example, a terminal is provided and a user desires to verify theuser in order to have access to locations and items that the user, whois an employee, requires for performing the user's duties. In thissituation, the terminal is programmed with software containinginstructions to present a survey to the user. The survey preferablyappears on the terminal display. In this example, the survey is on thedisplay touch screen. Survey questions may be tailored by the terminalowner or operating company. In this case a survey is presented on thescreen of the terminal for the user to respond to the following queries.

1. Have you completed safety checklist per regulation 16-325?

2. Do you have your safety glasses?

3. Are your tools calibrated per regulation 18-456?

In these queries, the user has two selection options for each question,“yes” or “no”. The system is configured so that if the safety checklistis not completed, per regulation 16-325, then the user key will not beprogrammed. The terminal records the responses and compares them to thepassing responses. In this example, the passing responses areaffirmative responses (i.e., “yes”) to each response. With the responsesin place, the terminal owner or company may be assured that the user hasprovided the proper procedure accountability for the safety and toolcalibration procedures.

Example 31

This example is similar to Example 30 immediately above, however, thesurvey provides queries for the user to respond with inputs from aselection menu. The menu provides the user with the opportunity torespond to specific questions about equipment, a condition of a vehicle,or other item of the safety checklist. According to another example, theuser tools calibration menu may identify one or more specific tools thatthe user identifies as having been calibrated.

Further examples are illustrated in connection with screen shotsappearing on a screen of a computing component display (e.g., in thecase of the management screen shot 91 of FIG. 47) and/or a terminalscreen display 128. Referring to the screen shots depicted in FIG. 47,and in FIGS. 48-50, the management system is shown by representingexemplary configurations of screen displays. FIG. 47 illustrates a menuof a screen shot 91 that may regulate the system and provide operationoptions for the terminal, such as the terminals 20, 120, and which maybe implemented on a computing component, such as, for example, aremotely linked computer that may be configured to provide informationthat the terminal 20,120 may download or access through a communicationslink, to regulate user permissions and accesses to electronic cylinders,when programming keys that are presented to the terminal 20,120 forprovisioning. The screen shots illustrated in FIGS. 47-50 illustrate anumber of examples of implementations of the system. According to apreferred embodiment, a computer is utilized to generate menus thatappear on the screen display using software that includes instructionsfor presenting the menus to a user. As discussed herein, the screen shot91 may be used to configure the options for user interaction andrequirements at a terminal 120, which may include authenticationevaluation, information intake from the user (e.g., surveys), andconfiguring the permissions and requirements for user access.

Referring to FIG. 48, the screen display illustrates a screen shot 160that is generated to be displayed on the screen 128 of the terminal 120.The terminal 120 is placed in administrator or admin mode. In thisconfiguration, the fingerprint reader 134 is deactivated or disabled.The “about” tab is selected and showing the about screen 161 indicatingthe version of the software or the terminal operating system, andproviding the license information. Referring to FIG. 49, the screen shot162 is shown where the tab labeled “Log Events” 163 (adjacent the“about” tab 164, see FIG. 48) has been selected. The log of eventsillustrates a box 165 containing a plurality of event logs, each ofwhich is labeled with a file name, which in this example, includes thedate. For illustration, the event log of Jan. 27, 2016 is selected,which is “appLogFile_20160127.log” 166, and which displays in a window167 to provide a record of the events. In addition, options, whichinclude respective selection buttons, are provided for retrieving thelog 168, viewing the log 169, and communicating the log to tech support170. In addition to the about screen 161 and log screen 162, FIG. 50illustrates a screen shot showing a functions screen 172. The functionsscreen 172 provides selection buttons for operating the terminal 20,120,and is illustrated as a selection through a “functions” tab option 173on the menu. The functions screen 172 provides a plurality of selectionbuttons for options to allow administrative functions to be implementedon the terminal 120. Examples of options for operating the kiosk orterminal 120, may include restarting the kiosk (restart kiosk button175), powering down the kiosk (power down kiosk button 176), closing theapplication (close application button 177), operating a watchdog status(watchdog status button 178), toggling watchdog (toggle watchdog button179), remove key(s) operation (remove key(s) button 181), and placingthe terminal back in service (place back in service button 182).Additional operation options and buttons may be provided to controlfunctions and features of the terminal 120, such as, for example,uploading of files or information.

The user interface may be provided to generate displays of text andimages on the terminal screen display 128 which are presented to usersand operators of the terminal. In addition to the administrativefunctions that are configured to provide selection options for operationof the terminal 120, the user may be provided with instructions forutilizing the terminal 120 in connection with one or more electronickeys 18. As illustrated in FIG. 51, a screen shot 183 is shown on whichthe system name or logo 185 (or other information) may be provided. Thescreen shot 183 may be configured to appear as a home screen for theterminal 120. The screen shot 183 also is shown with an actuationbutton, which is a “start” button 186, and an operating instruction 187displayed on the screen 183. The operating instruction may change as theuser operates the terminal 120. The first operating instruction 187requests that the user place the user's finger on the reader 134. Oncethe user has placed the user's finger on the reader 134, and theterminal 120 processes the input of the read, the display screen 128 ofthe terminal 120 may present further instructions, or may continue theprocedure. According to some embodiments, the terminal 120 is configuredto display another menu on the display screen 128. The screen maypresent a display of an image (including graphics, text or combinationsthereof) directed to the user, which may ask for the user's credential,such as, for example, an electronic credential that the user presents tothe electronic reader 140 of the terminal 120. Alternatively, or inaddition to the electronic credential requirement, the terminal 120 maybe configured to display a request or screen where the user may enter aninput, such as a PIN or other character string (e.g., a PIA). As shownin FIG. 52, an screen shot 190 shows an example of an entry screendisplayed on the terminal 120 having a keypad, which, according to somepreferred embodiments, is displayed on the touch screen 128 of theterminal 120. The keypad 191 is illustrated according to an exemplaryembodiment comprising ten digits, a clear button 192, a cancel button193, and an “OK” or “enter” button 194. Upon a successful biometricmatch, and combination of PIN or electronic credential (or a match ofall three factors), the inputs are recognized to be associated with auser through the verification of the factors. The user permissions areassociated with the identified user through the software configured onthe terminal 120. The user that has been verified in this example isnamed Tim. As shown in the screen shot 196 of FIG. 53, the user Tim hasbeen identified through the biometric identification, electroniccredential and/or PIN. In the screen shot 196 illustrated in FIG. 53,the user access privileges are displayed and listed on the left side ofthe screen. The user privileges may be displayed, which in this example,include two locks that are identified by lock number (or electroniccylinder number) 197,198, and a drawer and a door identified by anidentifying name and/or location, which in this example are drawer front200 and front door 201. Preferred implementations provide an indicatorof the battery status of the key, which, in this example, is a writtencharge status indication, e.g., “good”, 202. A key status “ready” 203 isalso provided to show the status of a key 18 that is inserted into theterminal key receptacle 130. Selection buttons shown comprising arrows204,205 may be actuated to scroll through the screen menu and makeselections, such as, for example, any of the menu options listed in theselection menu 206 on the right side of the screen. According to theexemplary embodiment illustrated, the menu selections may includeservice, log out, all, none, and get key. The selection arrows 204,205may be used to navigate through the selections of the menu 206, or toselect the components from the access list 208 on the left of the screen196.

According to preferred embodiments, the system is configured to providea survey that requires user inputs to be entered. One example of asurvey is illustrated through the screen shots shown in FIGS. 54-56. Thesurvey may be configured as described herein, and may be prepared usingthe system tools options, such as, for example, those provided inconnection with a management screen shown in the screen shot 91 of FIG.47, by selecting an appropriate tab to produce a survey. In the exampleillustrated as the screen shot 211 in FIG. 54, a survey is generated andpresented to the user on the terminal display screen 128. The surveypreferably is associated to display itself when a user assigned to acategory of users designated to respond to the survey queries isidentified. In instances where the user has already fulfilled a surveyrequirement from a previous log on, or identification, the survey may beconfigured not to appear. However, in some instances, the survey isconfigured to generate and require responses for each user access. Inthe example depicted in FIGS. 54-56, a screen shot 211 is generated toappear on the terminal screen display 128, which presents Question #1 ofa three question survey that is intended for the user, and whichrequires the user's inputs. The screen display 128 shows a screen shot211 that presents a question inquiring of the user whether the usercompleted a pre-opening routine 212. There are options for respondingthat include a button for “yes” a button for “no”, and a check mark 218and an “x” 219. The options for responding preferably are displayed tocorrespond with locations on the terminal touch screen display 128,which record inputs of the user when touched in those locations. Thecheck mark or “x” may be used at the terminal touch screen 128 toprovide the user input or response, where depressing or selecting the“x” may highlight the “no” indicator 214, and where depressing orselecting the check mark may highlight the “yes” indicator 215. Arrowbuttons 216,217 also are provided and allow the user to move to the nextor to a prior screen or question. Alternately, according to someembodiments, the arrow buttons 216,217 may provide the user with theability to navigate through a menu.

Referring to FIG. 55, as shown on the screen shot 213, Question #2 ofthree is presented, and, instead of the yes/no response called for byQuestion 1 (FIG. 54), four options for a response are available for theuser to select, including “Strongly Agree” (button 220), Agree (button221), Disagree (button 222), and Strongly Disagree (button 223). Arrows216 a,217 a may be used to navigate through the selection options tohighlight an appropriate response that the user desires to make, andwhen highlighted, the check mark 218 a may be depressed or selected toconfirm and enter the selection. The “x” 219 a also may be used for analternate option. In this instance, the survey continues to a thirdquestion.

Referring to FIG. 56, as shown on screen shot 251, Question #3 of threeis presented, and provides selections options similar to the screen shot211 of FIG. 54. A yes/no response called for by Question 3 is presented,with a selection option for “yes” 215 c and for “no” 214 c. Arrows 216c,217 c may be used to navigate through the selection options tohighlight an appropriate response that the user desires to make, andwhen highlighted, the check mark 218 c may be depressed or selected toconfirm and enter the selection. The “x” 219 c also may be used for analternate option. In this instance, the survey is completed with theresponse to the third question.

Once the user has successfully verified the user's identity (through thebiometric identification, or through the biometric identification andone or more other factors), the key may be made available to the user.The key may be programmed with the user access permissions. According tosome preferred embodiments, the key is locked with the terminalretaining mechanism and is not released until the programming hascompleted, or where no programming is to occur by virtue of the userfailing to be identified, or failing to respond or provide anappropriate response to a survey or survey query, until the useropportunity to verify or respond has concluded. FIG. 57 shows a screenshot 230 which provides the user with an option of whether to releasethe key (in this screen shot 230 by selecting “yes” or “no”. The usermay opt to release the key, or, if the user requires something further,the user may leave the key in place and proceed with further programmingoptions. (For example, in the instance where, as in FIG. 9, the terminal20 has an option for multiple keys, the key may remain and another keymay be inserted into another key retaining port.)

In the example shown in FIG. 57, a screen shot 230 is shown where theuser is presented with a selection whether the user wants to release thekey. In this example, the user selects “yes” to release the key, and theterminal 120 generates on the terminal display screen 128 another screenshot 231, as shown in FIG. 58. In this example, the screen shot 231 ofFIG. 58 shows the identification of the available containers that theuser may access in the “Available Containers” list 232. The screendisplay also provides a status information window 233 indicating thestatus of the key, which in this example, indicates that the key isready for use, and instructs the user to remove the key. In addition,the system and terminal 20,120 may be configured with a mechanism thatwill provide a time limit for a user to remove a key from the terminal120 once the user has completed the verification and any otherrequirements for programming the key, and the user has selected (if theoption is present) for the terminal 120 to release the key. The timelimit may count down a number of seconds, such as 10, and display thecounter 234. In the event the user is distracted or called away from theterminal prior to removal of the key, and the key is not removed withinthe time limit, the system may implement a number of responses,including blanking the key, deactivating the key, actuating the lockingmechanism to lock the key for a period in case the user returns withinthat period, or take some other response.

According to some embodiments, the system may be configured withinstructions for process notifications. In an exemplary implementation,the terminal 120 is configured with software containing instructions toreceive an input from a key. The key may be used to access one or morekey receptacles or key ports, which may be an eCylinder. For example,the key may be used to access a number of ports, such as, for example,eCylinders of locks. Preferably, the key records the access thereof byrecording access information which identifies characteristics of theeCylinder to which the key engaged. The key may engage a key port, suchas, for example, an eCylinder, and actuate the cylinder to provideaccess or to close access, or, in other instances, the key may be deniedan operation (e.g., denied access, or denied closing). The keyaccessions are done at particular cylinders and the key retains thecylinders into which the key was inserted. The key also may record thecylinder identity, as well as sequence information identifying thesequence of the key locations, such as which eCylinders were accessedand in what order. According to some embodiments, a time also isassociated with the key accesses, so that when a key accesses aneCylinder, the time at which the key accesses the cylinder also may berecorded and associated with the cylinder. The system preferablymaintains a record of key attempts to access a cylinder, includingwhether the access was successful, such as, for example, a successfulactuation (e.g., opening or closing of a lock, actuation of a switch).The terminal 120 may include software that is configured withinstructions for designating key access sequences, based on, forexample, eCylinder sequential accessions, time-based accessions, orcombination of these. As illustrated in accordance with an exemplaryembodiment in FIG. 59, a screen shot 260 is shown depicting a managementconfiguration screen display, which provides options for designating asequence order in which a key is to access a plurality of eCylinders(such as those of eLocks). The sequence depicted is named “office tour”which is designated in the sequence box 261, along with a start time andend time, and a further selection option for whether the sequence isactive or inactive (checked box). A sequence order 262 is designated fora number of keys that are selected, which in this example, areidentified by their respective description (e.g., container description263), and a lock serial number 264. The key sequence may be provided fora number of containers, or groups of containers. In addition, alerts maybe selected to correspond with key operations that fail to follow thesequence order. A key may record the access points, such as, forexample, eCylinders that were engaged with the key. The information mayinclude the identification of the eCylinder (e.g., serial oridentification number), which may correspond with or include theeCylinder location, the time of access (which may be an actual time,such as, EST, GMT, etc., or a relative time), and date of access. Thekey preferably records the sequence of eCylinders accessed, and anactuation status, which may include whether the eCylinder was opened,closed, locked, unlocked, actuated, deactivated, etc. Upon carrying outa cylinder accession sequence with the key, the key is docked at a keyretention port of the hardware, such as a key retention component.According to an exemplary embodiment, the key is inserted into the keyretention port 130 of the terminal 120. The terminal 120 is configuredto obtain the information from the key and preferably store and/orprocess the information. The terminal 120 software preferably isconfigured with a designated access sequence that designates particularkey access points, such as particular eCylinders at their sequence ofaccess. The terminal 120 having obtained the access and sequenceinformation from the key, is configured with software containinginstructions to process the key access information. The key accessinformation is compared with the designated sequence for cylinderaccess. If the access sequence of the key access matches the designatedsequence, then a record of the confirming activity may be made, or oneor more other actions, such as recording the information or confirmationin a database, or preparing the information for forwarding to arepository, or forwarding the information to a repository. In instanceswhere the terminal 120 is not in communication with another computingunit, or is not configured to communicate, then the information may beobtained from the terminal 120 at any time. In instances where theterminal 120 is configured to communicate (e.g., over a network), to aremotely situated computing component, such as, for example, amanagement server, then the terminal 120 may be programmed toperiodically, or automatically upon confirming the sequence, communicatethe information or the status of the key accesses (e.g., passingsequence access or status) to a remotely situated component.

The terminal 120 preferably is configured to identify instances of keyoperations where the key may be used out of conformance with adesignated sequence, or where the key is not used within a particulartime interval, or both. For example, a designated sequence of eCylindersmay be established. A user may activate a key by the verificationprocedures discussed herein. The user may then use the key to access keyports, such as, for example, eCylinders. The key preferably records theaccesses, which, for example, may be the identification of theeCylinders engaged by the key. The key is then docked at the terminal120 key retention port 130. According to some preferred embodiments,once the key is activated based on the user being successfully verified,the key access may be timed so that the key has a limited time withinwhich to access the locks or to complete a lock sequence access. Wherethe user fails to complete the lock sequence access within the specifiedtime, the key may be rendered inactive, or an alert may be issued fromthe terminal 120 (e.g., where the terminal 120 expects the key to bereturned within a particular time period, and where the key has not beenreturned). The alert may be issued over a communication network, suchas, for example, to a remotely situated computing component.

The key preferably records the accesses, which, for example, may be theidentification of the eCylinders engaged by the key, and preferably thesequence information and timing also is recorded. The key is then dockedat the terminal 120 key retention port 130, and the information isobtained from the key. Where the key sequence information does notcorrespond with the designated eCylinder access sequence, the terminal120 may be configured to undertake an action. The action may includecommunicating an alert, actuating a lock to block or restrict access toa particular area, location, cabinet, or item, actuate an alarm, make acall for assistance or aid, send an electronic signal message, such asan email, page or the like. The terminal 120 also may be configured withinstructions to actuate a dry contact, which may actuate a relay orother mechanism. The other mechanism may be an existing component, suchas, for example, an alarm system. The system may be configured to manageoperations of one or more alerting components, such as the trigger of analarm system, a locking mechanism for a lock whose access is notregulated by the key or eCylinder.

An example of the system is embodied in an implementation where a useris an employee of a company. The company has a facility and the user ischarged with the responsibility of opening the facility. The user opensthe facility in the morning (and may also close the facility at the endof the day). The user must first access the entry door, which isregulated with a lock. The user may use any means to gain access to thefacility. According to some embodiments, the user may unlock a panelproviding access to a terminal 120, which the user may operate to verifythe user, activate a key, and obtain further access to the premises orother locations. In this example, once the user gains access through thedoor (or panel), the user activates a key at the terminal 120. The keymay be obtained from a key retention bank with one or more keys. Theuser then inserts the key into the key retention port 130 of theterminal 120. Upon successful verification of the user at the terminal120 using the methods depicted and described herein, the user key isprovisioned and actuated with appropriate codes corresponding with theeCylinders that the user is to access. The terminal 120 is configuredwith a designated sequence for the user to follow. According topreferred implementations, the designated sequence has been previouslycommunicated to the user. The user therefore embarks on the openingsequence by accessing or opening locks (which may be actuatingeCylinders) in the designated sequence. The key records the time atwhich the key was authorized at the terminal 120 (which may be the timeof removal of the key from the terminal key retention port 130, whichmay be required to be removed within a set time of actuation). In thisexemplary implementation, the user opens locks (which are eCylinderlocks). The user, after completion of the access sequence, returns to aterminal 120, where the user inserts the key into the key retention port130. The terminal 120 to which the key is actuated and/or returned maybe a single terminal provided at the facility, a specially designatedterminal at the facility, or any one terminal of a plurality ofterminals at the facility. When the key is inserted at the terminal 120after having performed the lock access sequence, the key information,including the eCylinder identification, time of identification, andsequence of access, is obtained from the key. The information, andpreferably the access sequence is compared with the designated sequence.Where the key sequence conforms with the designated sequence, indicatingthat the access sequence has been carried out, the terminal 120 mayrecord the status, and confirm compliance. According to someembodiments, the terminal 120 may be installed or configured with atemporary window, which delays activation of the sequence remedies toprovide a period so that users may familiarize themselves with theproper key and sequence usage. The key access and sequence order may beimplemented to confirm compliance with particular actions that thecompany or its employees or other personnel are required to carry out.According to some preferred embodiments, the key sequence may includeeCylinders which are associated with one or more locks, or actuationcomponents, that signify that an action has taken place. Wherecompliance reporting is required, such as, for example, accounting foractivities or sequences of activities, the system may be configured tostore the key access and usage information and generate reports thatidentify compliance, or, a level of compliance. Therefore, in accordancewith the example, where the employee completes the access sequence byusing the key in a designated eCylinders in accordance with thedesignated sequence order, the system identifies that activity ascompliance. The compliance is recorded for that time, which in thisexample, is the opening of the facility. According to embodiments, theemployee may carry out a designated sequence of eCylinder accesses toclose the facility, and like the opening of the facility, informationmay be retained and used to confirm compliance.

The following is an exemplary depiction of the system, where theterminal is used in conjunction with a locker mode implementation. Inthis example, a key is docked in a key receptacle associated with theterminal, and upon receiving the key in the receptacle, the key iselectronically connected to the terminal processor to be read. If thekey is not a first time used key or blanked key, then the key auditinformation exists on a key. The full history, such as, for example, whoused the key, what lock or locks was the key used, including successfuluses and/or attempted/failed uses, where and when the key was used, isdownloaded from the key, and preferably is stored at the kiosk (e.g., ifa touch screen kiosk, such as terminal 120 is used), and/or, accordingto some embodiments, may be pushed to a central repository. According toembodiments, the key, after having the key history informationdownloaded therefrom, is then blanked. Once the pre-enrolled userverifies/identifies themselves through one or more factors (or acombination of factors according to preferred implementations, such as,e.g., pin code, card and/or biometric identifier—such as fingerprint,face, hand, iris, DNA, etc.) at the terminal using the associatedbiometric reader, credential reader, input component (e.g.,touchscreen), a plurality of selections may be presented. For example,the touchscreen may provide touch point selections on the touchscreenfor a single eLock (customizable name) or group of eCylinders(eLocks/electro mechanical lock cylinders or combination of, that may begrouped in a single selection point with a customizable name, together)represented by one touch point on the screen for the user to select.Once the user selects which locks, or group of locks or other (triprelay, turn on lights, etc.) via an individual touch point, the key(preferably positioned in an associated key receptacle) is programmed tooperate only those selected e locks, and preferably, only for apredetermined amount of time or corresponding schedule, as previouslydesignated (as previously programmed by the administrator or systemmanagement). In this example, once the key has been provided with thecodes for the corresponding designated eCylinders and schedules, theuser removes the key from the key receptacle and moves forwardaccordingly to use the key. According to some embodiments, the key mayremain retained in the receptacle until the programming is completed (orother sequence is completed, such as downloading of the key history,blanking the key, or other operation). According to some embodiments,the eCylinder codes may remain on the key after the key is blanked, butare not available to the user unless that user is authorized. Thisimplementation may provide time savings where a number of eCylindercodes are to be loaded on a key. This example of a locker modeimplementation may utilize one or more features described herein inconnection with other examples and depictions.

Referring to FIG. 60, a screen shot 270 is shown depicting a locker modeimplementation, where the screen shot 270 appears on a touch screendisplay, which preferably may be generated on a touch screen display 128of terminal 120. The screen shot shows selection button or icon providedfor one or more locks and/or groups of locks. For example, a lock orgroup of locks that may be selected by the user in order to have thecorresponding codes for those locks (or eCylinders) provided on the userkey. In this example, a “Padlock” selection 271 is shown and representsa particular lock (although it may represent a group of locks). Otherselections appearing on the screen shot 280 include “Front Door” 272,“Lock 650486” 273, “Lock 633237” 274, and “Drawer Front” 275. In theexample illustrated, the user may select one or more (or all) of theuser permitted lock selections displayed or highlighted in the selectionarea box 276 of the screen 270. Once the selections are made, the keywhich is to be programmed is provided with the codes for thecorresponding eLocks/eCylinders. A selection menu on the right 277, asdiscussed previously in connection with other screen menu depictions,provides options for the user to select, including to select all ornone, service, logout, or get key. A designation of key status 278 thatincludes battery status and key ready status also is shown on the screen270.

The following is an exemplary depiction of the system, where theterminal is used in conjunction with a route mode implementation. Inthis example, when a key is docked in a key receptacle associated with acomputing component, such as the terminal, the history, such as, forexample, who used the key, what lock or locks was the key used,including successful uses and/or attempted/failed uses, where and whenthe key was used, is downloaded from the key, and preferably is storedat the kiosk (e.g., if a touch screen kiosk, such as terminal 120 isused), and/or, according to some embodiments, may be pushed to a centralrepository. According to embodiments, the key, after having the keyhistory information downloaded therefrom, is then blanked to remove orremove access to the lock code information (that may have beenpreviously provided on the key). Once the pre-enrolled userverifies/identifies themselves through one or more factors (or acombination of factors according to preferred implementations, such as,e.g., pin code, card and/or biometric identifier—such as fingerprint,face, hand, iris, DNA, etc.) at the terminal using the associatedbiometric reader, credential reader, input component (e.g.,touchscreen), the key is programmed to operate all eCylinders (whichpreferably in this example are eCylinders of eLocks) for thepredetermined amount of time or corresponding schedule that the user waspre-programmed to access (e.g., through a management designation thatwas previously configured for this operation, e.g., by programming theterminal). Once the key is programmed with the appropriate codes (andoptionally released if a key retention mechanism has been actuated), theuser removes the key and moves forward accordingly. In thisimplementation, the user is not required to make a selection ofindividual or group of eCylinders, and the userverification/identification provides an association with the lock codesthat the user will need based on the user activities and operations tobe carried out. For example, the user route where the user has beenassigned specific duties that involve access to specific eCylinders(e.g., specific eLocks) are provided on the user key. Other featuresdescribed and depicted herein may be utilized in conjunction with thisimplementation.

Referring to FIG. 61, a screen shot 280 is shown depicting a route modeimplementation, which may be generated on a touch display screen, suchas, the touch display screen 128 of terminal 120, provides an availablecontainers listing 281 identified as “Padlock” 282. Padlock 282 in theexample illustrated, preferably represents a single lock, or morepreferably, a group of locks that is confirmed at the terminal for theidentified user, indicating the lock/eCylinder or grouping oflocks/eCylinders that the user may access. In the example depicted bythe screen shot of FIG. 61. In this example, the Padlock 282 representsthe access group or cylinder that the identified/verified user mayaccess.

In addition, features shown and described herein in connection with someembodiments, such as, the terminal 20 or terminal 120, may beimplemented separately or together in conjunction with implementationsof the method, system and devices.

While the system, method and apparatus of the invention have beendisclosed in detail, and the preferred embodiments and best mode forpractice of the invention have been similarly disclosed, the scope ofexclusive rights to which the invention is entitled is defined by theclaims appended hereto and by equivalents that perform substantially thesame function in substantially the same way to achieve the same result.

1-40. (canceled)
 41. A device for authenticating user access to asecured item that is secured by an electronic lock, the devicecomprising: a) a housing; b) a hardware processor; c) softwareconfigured with instructions for receiving and processing inputs; d)storage media, said software being stored thereon; e) communicationscomponents configured to transmit and receive communications over anetwork; f) a biometric reader coupled together with the processor andsoftware to provide biometric inputs; g) an electronic reader; h) atouch screen configured to receive inputs; and i) a key port configuredto receive an electronic key; j) wherein said software includesinstructions for comparing inputs from at least one of said biometricreader, said electronic reader and said screen, to determine whether theat least one biometric input, electronic reader input, and said screeninput verifies a condition for providing access to a lock; and k)wherein said software is programmed with instructions not to verify thecondition when a survey input matches a predetermined response.
 42. Thedevice of claim 41, including a key retention mechanism, wherein saidkey retention mechanism mechanically locks the key and releases the key.43. The device of claim 42, wherein said key retention mechanism lockssaid key to said key port during the time when said key is beingprogrammed.
 44. The device of claim 41, said biometric reader, saidelectronic reader and said touch screen being coupled with saidprocessor to provide inputs, and wherein said software includesinstructions for comparing (i) at least one input from said at least oneof said biometric reader, said card reader, and said screen, and, inaddition to the said at least one input from said at least one of saidbiometric reader, said card reader, and said screen, (ii) said surveyinput, to determine whether the inputs authorize a condition.
 45. Thedevice of claim 44, wherein said condition is authorization to activatea lock for programming, and wherein said device provides an internalcode to a user identified as authorized to access the lock by encodingthe internal code into an electronic key usable by the identifiedauthorized user.
 46. The device of claim 41, wherein said device isconfigured to provision an electronic key to access an electronic lock;wherein said device is configured to generate a survey on said screen;wherein said survey inputs are made through said screen; wherein saidsoftware includes instructions for receiving survey inputs, and whereinsaid survey inputs are required in order to provision said electronickey.
 47. The device of claim 44, wherein said device is configured toprovision an electronic key to access an electronic lock, and whereinsaid provisioning comprises programming said key with at least one lockcode that opens an electronic lock; wherein said device is configured togenerate a survey on said screen; wherein said survey inputs are madethrough said screen; wherein said software includes instructions forreceiving survey inputs, and wherein said survey inputs are required inorder to provision said electronic key.
 48. The device of claim 47,wherein said electronic reader is configured to read an electronic item.49. The device of claim 41, wherein said device is configured to programa key with one or more lock codes for actuating one or more electroniclocks, and wherein said device programs the key when the condition isverified.
 50. The device of claim 41, wherein said software includesinstructions for comparing an input from at least one of said biometricreader, said electronic reader, and said screen, and determining whetherthe input from said at least one of said biometric reader, saidelectronic reader, and said screen, together with said survey input,verifies a condition for providing access to a lock; and wherein saiddevice is configured to program a key with one or more lock codes foractuating one or more electronic locks, and wherein said device programsthe key when the condition is verified.
 51. The device of claim 41,wherein said device is configured to provision an electronic key toaccess an electronic lock; wherein said device is configured to generatea survey on said screen; wherein said survey inputs are made throughsaid screen; wherein said software includes instructions for receivingsurvey inputs, and wherein said survey inputs are required to verifysaid condition.
 52. The device of claim 41, wherein said predeterminedresponse comprises one or the other of an input selected from a choiceof two inputs.
 53. The device of claim 41, wherein said predeterminedresponse comprises at least one input selected from a choice of aplurality of inputs.
 54. The device of claim 53, wherein said softwareis further configured with instructions to verify a survey input bycomparing the survey input with a reference database.
 55. The device ofclaim 54, wherein said reference database is accessible through anetwork connection.
 56. The device of claim 53, including anelectronically programmable lock, an electronic key that is insertableinto the electronically programmable lock for recording an internal codeneeded to actuate the electronically programmable lock, wherein the keyport receives the electronic key, and wherein said software instructssaid hardware processor to receive and retain the internal code inassociation with the identification of the electronically programmablelock to which the code pertains; wherein the biometric readerelectronically biometrically identifies a potential user seeking toactuate the electronically programmable lock; wherein the electronicreader electronically identifies a credential for the user seeking toactuate the electronically programmable lock; wherein the touch screenreceives an input made by the user seeking to actuate the electronicallyprogrammable lock; wherein the software includes instructions for andinstructs said hardware processor to compare the identified potentialuser to a previously generated list of biometrically identified usersauthorized to actuate the electronically programmable lock to determinewhether the identified potential user is authorized to actuate theelectronically programmable lock; wherein the software includesinstructions for and instructs said hardware processor to compare theidentified credential to a previously generated credential of identifiedusers authorized to actuate the electronically programmable lock todetermine whether the identified potential user is authorized to actuatethe electronically programmable lock; and wherein the software includesinstructions for and instructs said hardware processor to compare theinput made on the touch screen by the user to a previously generatedlist of user PIN's of identified users authorized to actuate theelectronically programmable lock to determine whether the identifiedpotential user is authorized to actuate the electronically programmablelock.
 57. A device for authenticating user access to a secured item thatis secured by an electronic lock, the device comprising: a) a housing;b) a hardware processor; c) software configured with instructions forreceiving and processing inputs; d) storage media, said software beingstored thereon; e) communications components configured to transmit andreceive communications over a network; f) a biometric reader coupledtogether with the processor and software to provide biometric inputs; g)an electronic reader; h) a touch screen configured to receive inputs;and i) a key port configured to receive an electronic key; j) whereinsaid software includes instructions for comparing inputs from at leastone of said biometric reader, said electronic reader and said screen, todetermine whether the at least one biometric input, electronic readerinput, and said screen input verifies a condition for providing accessto a lock; and k) wherein said software is programmed with instructionsnot to verify the condition when a survey input is not properlyidentified.
 58. The device of claim 57, said biometric reader, saidelectronic reader and said touch screen being coupled with saidprocessor to provide inputs, and wherein said software includesinstructions for comparing (i) at least one input from said at least oneof said biometric reader, said card reader, and said screen, and, inaddition to the said at least one input from said at least one of saidbiometric reader, said card reader, and said screen, (ii) said surveyinput, to determine whether the inputs fail to authorize a condition.59. The device of claim 58, wherein said condition is authorization toactivate a lock for programming, and wherein said device provides aninternal code to a user identified as authorized to access the lock byencoding the internal code into an electronic key usable by theidentified authorized user.
 60. The device of claim 57, wherein saiddevice is configured to provision an electronic key to access anelectronic lock, and wherein said provisioning comprises programmingsaid key with at least one lock code that opens an electronic lock;wherein said device is configured to generate a survey on said screen;wherein said survey inputs are made through said screen; wherein saidsoftware includes instructions for receiving survey inputs, and whereinsaid survey inputs are required in order to provision said electronickey.